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Preface 


This  work  was  developed  during  a  summer  internship  between  coauthor  Charles 
Huber’s  junior  and  senior  year  in  Computer  Science  at  Pennsylvania  State 
University.  Huber  was  approached  by  Patrick  McDaniel  during  his  junior  year  to 
become  a  research  assistant  with  the  Systems  and  Internet  Infrastructure  Security 
(SIIS)  laboratory  at  Pennsylvania  State.  Part  of  SIIS’s  ongoing  research  efforts 
includes  collaboration  with  the  Cyber-Security  (CSec)  Collaborative  Research 
Alliance  (CRA).  The  US  Army  Research  Laboratory  sponsors  the  CSec  CRA,  and 
Huber  was  given  an  opportunity  to  conduct  research  over  the  summer  with  the 
Computational  and  Information  Sciences  Directorate.  Thus,  this  research  is  part  of 
a  larger  ongoing  body  of  research  directed  toward  the  goals  of  the  CSec  CRA. 
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1.  Introduction 


As  computer  technology  becomes  more  integrated  into  a  Soldier’s  equipment,  it 
beeomes  vital  to  proteet  software  and  networks  from  exploits  and  attaeks.  It 
becomes  espeeially  important  to  secure  software  and  networks  during  a  eyber 
operation  to  maintain  the  confidentiality,  integrity,  and  seereey  of  data.  Massive 
amounts  of  researeh  have  foeused  on  deteeting,  analyzing,  and  reacting  to  attacks 
of  all  kinds.  However,  eurrent-day  agility  is  mostly  reactive.  A  network 
administrator  usually  must  react  to  an  attack,  making  it  very  diffieult  to  keep 
information  from  being  stolen  or  even  keep  the  network  up  and  running  at  full 
capability.  A  decision-support  tool  can  help  an  administrator  make  effeetive,  agile 
deeisions,  seeuring  both  software  and  network  assets;  moreover,  this  tool  ean 
provide  a  more  proaetive  defense  during  eyber  operations.  One  such  decision  tool 
is  the  Cyber  Fighter  Associate  (CyFiA). 

2.  Background 

The  CyFiA  is  a  decision-support  program  currently  being  developed  and  is  based 
on  work  done  on  the  Pilot  Associate'  and  Warfighter  Associate  programs. The 
CyFiA  proposes  agility  maneuvers  to  a  user  based  on  cost  and  utility  of  the 
maneuver  as  well  as  the  network  and  node  facts.  The  program  responds  to  eertain 
data  stimuli  to  propose  agility  maneuvers  to  a  user.  The  eontrol  flow  of  the 
program  models  a  human  Observe,  Orient,  Decide,  Aet  (OODA)  loop.  The 
OODA  loop  has  been  used  as  a  model  to  deseribe  deeision-making  in  military 
environments,  making  it  a  reasonable  model  to  use  in  the  CyFiA. 

To  test  the  CyFiA,  a  simulation  was  designed.  We  are  using  a  program  called 
Cyber  Army  Modeling  and  Simulation  (CyAMS).  CyAMS  can  model  on  very 
large-scale  networks  with  the  help  of  a  high-performanee  computing  system. 
CyAMS  has  demonstrated  the  ability  to  model  networks  eontaining  up  to  35 
million  nodes.  As  a  test  environment  a  moek  network  of  10  nodes  was  created  in 
CyAMS;  a  eost  program  was  written  to  caleulate  eritical  path,  pateh  routing,  and 
agility  maneuver  eost"';  a  graphical  user  interface  (GUI)  was  ereated  to  display  the 
moek  network;  and  a  eommunieation  program  was  written  so  that  the  CyFiA  and 
the  eost  program  eould  eommunicate  with  CyAMS  and  viee  versa.^  Figure  1 
accurately  displays  the  eommunieation  setup  between  all  5  parts  of  the  simulation. 
Details  of  the  protocol  design  can  be  found  in  a  2002  referenee  work.^  (The 
Appendix  provides  a  listing  of  eode.) 
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Cyber  Associate 


Fig.  1  Simulation  communication-protocol  layout 

3.  Cyber  Fighter  Associate  Design 

The  CyFiA  is  written  using  the  Java  programming  language  in  coordination  with 
an  Xbase  domain-specific  language  designed  by  Veloxiti,  Inc.,  of  Alpharetta, 
Georgia.  This  combination  is  known  as  a  Solomon  project.  Solomon  projects  run 
using  the  Solomon  engine.  This  engine  was  created  by  Veloxiti.  The  Solomon 
engine  runs  2  graphs.  The  first  is  the  Observe-Orient  (0-0)  graph;  the  second  is 
the  Decide-Act  (D-A)  graph.  Both  graphs  have  a  specific  file  type;  .kb. 

The  0-0  and  D-A  graphs  consist  of  beliefs,  plans,  goals,  links,  and  monitors. 
Beliefs  only  exist  in  the  0-0  graph.  Plans  and  goals  only  exist  in  the  D-A  graph. 
Links  are  used  to  connect  beliefs  to  beliefs  or  to  connect  plans  to  goals  and  vice 
versa.  Monitors  are  used  as  bridges  from  the  0-0  graph  to  the  D-A  graph. 
Figures  2  and  3  show  small  portions  of  the  0-0  and  D-A  graphs,  respectively. 
(Due  to  their  sizes,  the  graphs  could  not  be  shown  in  their  entirety.) 

There  are  other  output  entities  that  exist  on  monitors  and  plans.  Whenever  a 
monitor  is  triggered,  it  is  possible  to  notify  the  user  using  a  notification  and  by 
specifying  the  notification  type  in  a  handler.  This  tool  is  very  useful  for  both 
debugging  and  for  understanding  how  the  engine  works.  Notifications  can  only  be 
sent  from  monitors.  In  a  similar  way,  actions  and  proposals  exist  on  plans.  An 
action  is  a  form  of  output  where  the  engine  tells  other  parts  of  the  program  to  do 
something.  This  process  was  used  in  the  CyFiA  when  cost  values  were  needed 
from  the  cost  program.  Proposals  are  similar  to  notifications,  but  they  serve  a 
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different  purpose.  Proposals  are  aetions  that  the  engine  suggests  to  the  user. 
Whether  these  actions  are  carried  out  is  completely  up  to  the  person  receiving  the 
proposal.  In  the  simulation,  proposals  came  in  the  form  of  agility  maneuvers,  so 
multiple  proposals  were  often  given.  In  addition,  due  to  the  nature  of  the 
simulation,  proposals  were  not  used  frequently — if  at  all — ^because  all  of  the 
actions  were  automated  and  there  was  no  human  interaction. 
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Fig.  2  Beliefs,  links,  and  monitors 
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Fig.  3  Plans,  goals,  and  monitors 
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The  Java  files  were  created  to  run  the  engine  as  well  as  listen  for  new  information. 
Threading  allows  the  engine  to  run  on  its  own  thread  concurrently  with  other  parts 
of  the  associate. 

4.  Interacting  with  Network  Simulations  and  Cost  Programs 

A  network  is  made  up  of  nodes  that  all  have  varying  characteristics.  For  this 
reason,  the  Node  class  was  created.  Nodes  have  the  following  characteristics:  a 
node  identification  (ID),  the  operating  system,  a  capability  metric,  the  node’s 
geographical  location,  a  computation  rate,  battery  power,  transfer  and  receive 
rates,  node  criticality,  a  patch-origin  flag,  a  list  of  connections,  and  node  health. 
The  node  ID  was  an  identifier  consisting  of  a  number  stored  as  a  string.  This 
allows  ID  to  be  simple  and  the  process  made  passing  it  through  the  graphs  easy. 
The  list  of  connections  is  a  list  of  nodes  to  which  a  given  node  is  connected.  Node 
criticality  is  a  Boolean  that  is  true  if  the  node  is  along  the  critical  path.  At  this 
time,  node  health  is  a  string  that  represents  the  state  of  the  node.  A  node  could  be 
infected,  vulnerable,  susceptible,  or  immune.  For  nodes  that  are  infected  by  the 
malicious  application,  the  node  health  is  set  to  “infected”.  Likewise,  nodes  that 
are  patched  have  a  health  set  to  “immune”.  Vulnerable  health  means  that  a  node 
has  not  been  infected  but  is  also  not  immune  while  susceptible  health  means  the 
node  is  vulnerable  and  also  communicates  with  a  known  infected  (or  previously 
infected  node). 

Another  important  part  of  the  CyFiA  is  the  database  class.  To  make  fast 
computations,  it  is  important  to  have  some  information  ready  to  use.  The  database 
contains  a  list  of  all  the  nodes.  Every  time  a  node  is  created,  it  is  stored  in  the 
database  along  with  all  of  the  node’s  attributes.  The  database  also  contains  the  list 
of  nodes  that  make  up  the  critical  path.  This  list  makes  accessing  the  nodes  on  the 
critical  path  easy  and  quicker  than  repeatedly  checking  a  node’s  criticality.  The 
database  is  a  static  entity.  This  term  means  that  there  is  only  one  database.  A 
“getter  method”  is  made  to  get  the  instance  of  the  database.  Having  a  static 
database  is  important  because  the  database  is  not  bound  to  any  specific  class  and 
can  be  accessed  by  multiple  threads.  The  database  class  also  has  many  important 
methods  to  keep  it  and  the  nodes  stored  in  it  updated.  The  database  has  the  ability 
to  change  features  in  nodes. 

Once  started,  the  CyFiA  continuously  receives  input  and  is  constantly  processing 
data.  Input  is  parsed  and  converted  into  a  belief,  but  the  engine  must  run  from  a 
single  thread.  To  overcome  this  restriction,  a  blocking  queue  was  created  inside 
the  Request  Handler  class.  This  class  was  initially  designed  to  handle  requests 
that  had  to  be  sent  to  the  cost  program,  and  it  would  also  send  actions  back  to 
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CyAMS;  however,  this  initial  design  was  ehanged.  The  Request  Handler  now 
sends  and  reeeives  requests  to  the  eost  program  and  also  has  a  seeond  bloeking 
queue  that  holds  beliefs  to  be  pushed  to  the  engine.  The  “makeBelief  ’  method  is 
used  to  take  the  top  belief  off  the  queue  and  push  it  to  the  engine  for  proeessing. 
The  Request  Handler  elass,  like  the  database,  is  also  statie.  The  handler  needed  to 
be  designed  so  that  there  would  only  be  one  queue  for  beliefs  and  only  one  queue 
for  requests. 

CyAMS  sends  information  to  the  CyFiA  via  multiple  ports.  Ports  3031,  3041, 
3051,  3061,  and  3071  were  all  used  in  reeeiving  information  from  CyAMS.  To 
handle  all  of  the  information,  the  Soeket  Listener  class  was  made.  Information  is 
passed  between  programs  using  the  User  Datagram  Protocol  (UDP).  Because 
UDP  was  implemented,  setting  up  port  communications  was  relatively  easy — ^but 
UDP  does  not  guarantee  that  the  information  received  is  in  the  order  that  it  is  sent. 
Data  were  sent  as  a  string  of  comma-separated  values.  The  function  used  to 
receive  data  from  CyAMS  is  implemented  using  a  series  of  “if’  statements  to 
determine  how  to  parse  the  information  received  on  each  port.  Once  information 
is  received,  it  is  parsed  using  the  method  “setInData”.  This  method  parses  data  as 
a  single  string.  The  string  is  then  split  using  the  split  function  using  a  delimiter  of 
a  comma  and  stored  in  a  string  array  called  tokens.  Every  packet  received  was 
expected  to  contain  specific  information  based  on  the  port  number  on  which  it 
was  received.  This  information  was  also  expected  to  be  in  a  specific  order,  so  a 
string  array  was  an  easy  solution  for  indexing  that  data  and  using  it  to  create 
beliefs.  The  Socket  Listener  creates  beliefs  and  adds  them  to  the  belief  queue  in 
the  request  handler.  Therefore,  the  Socket  Listener  class  calls  an  instance  of  the 
Request  Handler  so  that  when  it  receives  data  from  CyAMS,  it  will  create  the 
appropriate  belief  and  add  the  belief  to  the  queue.  The  Socket  Listener  class 
implements  the  Runnable  Java  interface.  This  means  that  it  can  run  on  a  separate 
thread.  Live  separate,  concurrent  Socket  Listener  threads  receive  information 
from  CyAMS.  A  sixth  thread  is  initially  run  to  receive  the  initial  critical  path  from 
the  cost  program,  but  it  is  then  stopped  so  that  the  port  can  be  used  again  later. 

Threading  is  a  large  part  of  the  CyLiA;  to  manage  all  of  the  threads,  the  CyLiAJob 
class  was  made.  This  class  has  3  purposes.  The  first  purpose  is  to  instantiate  and 
run  all  of  the  socket  listeners.  The  second  purpose  is  to  constantly  check  the 
Request  Handler  class’s  belief  queue.  If  the  queue  has  a  belief  in  it,  the  class 
makes  a  call  to  the  Request  Handler’s  “makeBelief’  method.  This  method  takes 
the  top  belief  off  the  queue,  determines  which  belief  to  create,  creates  the  belief, 
and  updates  the  engine.  Creating  beliefs  inside  the  CyLiAJob  class  ensures  that 
the  engine  is  constantly  being  updated  by  the  same  thread  even  though  the 
Request  Handler  queue  can  be  updated  in  many  threads.  The  final  purpose  of 
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CyFiAJob  is  to  create  a  thread  for  sending  an  aetion  baek  to  CyAMS.  This  thread 
runs  the  AutomatedAetionSender  elass.  In  addition  to  the  soeket  listeners  and  the 
CyFiAJob  elass,  there  are  3  other  classes  that  all  run  inside  a  single  thread 
provided  by  the  Solomon  engine.  The  engine  provides  2  different  types  of  output 
providers.  The  first  is  a  basie  output  provider.  This  type  of  output  provider  bloeks 
the  engine  every  time  an  action,  notification,  or  proposal  has  to  be  created  and 
output.  The  seeond  type  of  output  provider  is  the  threaded  output  provider.  This 
provider  ereates  separate  threads  for  notifieations,  proposals,  and  aetions.  In  the 
CyFiA,  the  threaded  output  provider  is  used. 

The  Notification  Handler  elass  handles  all  of  the  notifieations  inside  the  threaded 
output  provider.  The  handler  also  holds  the  custom  code  that  makes  a  notification. 
This  design  is  useful  beeause  notifieations  ean  take  different  forms;  therefore, 
writing  custom  code  for  each  different  notifieation  is  necessary.  When  a 
notification  is  instantiated  on  a  monitor,  it  is  added  to  a  queue.  Using  a  speeial 
method  ealled  “proeess”  that  is  provided  by  the  output  provider,  a  notifieation  is 
pulled  off  the  queue.  The  notifieation  handler  determines  what  kind  of  instanee 
the  notifieation  is  by  using  a  series  of  if-else  statements.  Onee  the  eorreet 
notifieation  instanee  is  found,  the  custom  notification  code  is  exeeuted  and  a 
notifieation  is  displayed.  This  proeess  works  the  same  way  for  proposals,  as  well. 

The  Proposal  Handler  elass  handles  all  the  proposals  inside  the  threaded  output 
provider.  The  Proposal  Handler  functions  exactly  like  the  Notifieation  Handler. 
The  CyFiA  has  a  simple  proposal  handler  and  does  not  output  proposals  beeause 
the  simulation  did  not  need  proposals  to  be  displayed.  The  CyFiA  will  eventually 
have  many  proposals  for  eaeh  agility  maneuver. 

The  Actions  Handler  elass  is  the  most  eomplex  of  the  handler  elasses.  When  an 
aetion  is  ereated  and  sent  from  a  plan,  it  is  put  in  a  queue.  Using  the  method 
proeess  (just  like  notifieations  and  proposals),  the  top  aetion  is  taken  from  the 
queue  and  is  checked  against  a  series  of  if-else  statements  until  the  eorreet 
instanee  is  found.  The  aetion  is  then  exeeuted.  Actions  are  eomplex  beeause  some 
require  eomputations  and  may  even  make  beliefs.  For  this  reason,  the  Aetion 
Handler  class  has  an  instance  of  both  the  Request  Handler  elass  and  the  database. 
There  are  7  aetions  handled  by  the  handler.  The  first  aetion  is  named 
“CheckCritiealNodes”.  This  action  is  called  when  a  new  infeeted  node  is 
introdueed  to  the  engine.  Onee  a  new  infeeted  node  is  deteeted  (received  from 
CyAMS),  the  eritieal  path  is  eheeked  for  nodes  whose  health  is  suseeptible.  The 
suseeptible  node  health  means  that  the  node  is  directly  connected  to  an  infected 
node.  It  is  important  to  make  sure  the  eritieal  path  is  secured,  so  it  is  important  to 
perform  agility  maneuvers  on  suseeptible  and  vulnerable  eritieal  nodes  first. 
Therefore,  if  a  eritieal  node  is  suseeptible,  a  belief  is  ereated  to  update  the  engine 
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and  do  agility  maneuvers  on  the  susceptible  node.  If  a  susceptible  critical  node 
does  not  exist,  the  function  will  search  the  critical  path  for  vulnerable  critical 
nodes,  and  agility  maneuvers  will  be  performed  on  a  particular,  but  arbitrary, 
vulnerable  critical  node.  If  the  critical  path  is  secured,  the  search  to  find  a 
vulnerable  or  susceptible  critical  node  should  not  run.  In  addition,  it  is  necessary 
to  query  the  D-A  graph  to  determine  whether  the  action  is  being  executed  without 
a  new  infected  node  being  passed  into  the  engine.  (At  the  writing  of  this  report, 
this  particular  query  has  a  defect  that  occurs  for  an  unknown  reason.  It  can  cause 
redundancies  in  engine  execution  and  lead  to  multiple  outputs  for  a  single  input 
and  sometimes  infinite  loops.  This  complication  will  be  described  in  more  depth 
in  Section  7.) 

The  second  action  in  the  handler  is  “UpdateNetworkHealth”.  The 
UpdateNetworkHealth  action  changes  nodes  health  throughout  the  network  inside 
the  database.  For  example,  if  Node  3  became  infected  and  Nodes  4-6  were  all  not 
immune,  their  node  health  would  be  updated  to  vulnerable  or  susceptible 
depending  on  whether  they  are  connected  to  the  infected  node.  This  action  is  also 
used  to  update  a  single  node’s  health  to  immune.  If  a  node  is  patched  or  healed, 
then  it  becomes  immune  and  needs  to  be  updated  in  the  database  so  that  all 
information  is  up  to  date.  The  next  4  actions  are  “IPBlockCost”,  “WallOffCost” 
or  Quarantine,  “BestThroughputCost”,  and  “HealSoftwareCost”.  All  4  of  these 
actions  have  the  same  purpose,  and  they  all  send  a  request  to  the  cost  program 
requesting  costs  for  the  specific  agility  maneuver.  The  4  agility  maneuvers 
represented  by  these  actions  are  Intrusion  Prevention  (IP)  blocking;  function 
quarantining;  patching  via  a  best  throughput  path;  and  software  healing.  (These 
maneuvers  will  be  explained  in  more  detail  in  Section  5.)  Each  of  these  4  actions 
blocks  and  waits  for  a  response  from  the  cost  program.  After  a  response  is 
received  from  the  cost  program,  the  action  continues  by  adding  an  “automated 
action”  to  the  Automated  Action  Sender  class  list.  The  last  action  handled  by  the 
actions  handler  determines  how  many  agility  maneuvers  are  possible  given  any 
particular  node.  The  maximum  number  of  agility  maneuvers  for  this  simulation  is 
4;  IP  blocking,  function  quarantining,  software  healing,  and  patching.  However, 
there  may  be  times  in  which  certain  agility  maneuvers  are  just  not  possible.  For 
example,  if  a  patch  file  does  not  exist,  it  would  be  impossible  to  patch.  In 
addition,  if  a  newly  infected  node  is  being  handled,  it  would  be  impossible  to 
implement  an  IP  block  because  a  node  cannot  be  blocked  from  itself.  The  last 
action  in  the  Actions  Handler  is  “StartActionSender”.  “StartActionSender”  gets 
the  instance  of  the  Automated  Action  Sender  and  calls  the  function 
“getNumActions”  that  runs  a  series  of  checks  and  queries  into  the  graph  to 
determine  which  agility  maneuvers  are  valid;  then,  it  set  a  variable  to  the  number 
of  agility  maneuvers  possible. 
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The  Automated  Action  Sender  class  is  the  decision-making  class.  This  program 
decides  which  agility  maneuver  to  execute  in  the  simulation.  In  its  final  form,  the 
CyFiA  may  have  a  class  similar  to  the  Automated  Action  Sender  but  it  probably 
will  not  act  on  decisions  automatically.  The  Automated  Action  Sender  class  also 
implements  the  Runnable  Java  class  and  contains  the  run  function.  There  is  a 
“while”  loop  inside  the  run  function  that  is  always  executed.  There  is  an  “if’ 
statement  inside  the  “while”  statement  that  checks  whether  a  list  called 
“actionList”  has  a  size  equal  to  the  number  of  actions  determined  by  the  function 
getNumActions,  which  is  called  in  the  actions  handler.  If  getNumActions  is  never 
called,  then  the  “if’  statement  will  never  be  true  and  no  actions  will  be  sent  from 
the  action  list.  The  action  list  is  a  simple  array  list  that  holds 
“AutomatedActions”.  This  class  is  a  simple  object  class  that  creates  an  object 
tailored  to  match  the  input  CyAMS  is  expecting.  An  AutomatedAction  has  5 
characteristics:  request  ID,  a  starting  node,  an  ending  node,  the  action  to  be 
executed,  and  the  cost.  Every  time  a  cost  is  received  by  one  of  the  4  agility  cost 
functions  in  the  actions  handler  (described  earlier),  it  is  added  to  the  Automated 
Actions  Sender’s  action  list.  Once  the  list  size  equals  the  number  of  possible 
automated  actions,  a  sorting  function  is  run.  This  simple  sorting  function 
compares  the  costs  of  each  agility  maneuver  and  places  the  maneuver  with  the 
lowest  cost  at  the  first  index  of  the  list  (Index  0);  then,  the  Automated  Action 
Sender  opens  a  socket  to  CyAMS  on  Port  3010  and  sends  the  action  back  to 
CyAMS.  After  this  process  is  done — if  the  send  is  successful — the  Automated 
Action  Sender  checks  to  see  which  action  was  sent  and  creates  one  of  2  beliefs. 
The  first  belief  is  for  IP  blocking,  and  the  second  belief  is  for  all  other  agility 
maneuvers.  Two  separate  beliefs  are  required  for  the  following  reasons.  There  are 
2  distinct  types  of  agility  maneuvers:  software  and  network.  Software-agility 
maneuvers  directly  affect  a  node’s  software  and  applications.  In  this  simulation, 
all  software-agility  maneuvers  changed  a  node’s  health  to  immune.  However,  in 
network-agility  maneuvers,  a  node’s  health  would  be  changed  to  vulnerable  if  it 
was  not  so  already  and  if  it  was  not  infected.  Once  the  proper  belief  is  created,  it 
is  sent  to  the  request  handler’s  belief  queue  to  be  updated  into  the  engine. 

The  main  class  of  the  CyFiA  is  tasked  with  creating  the  engine,  creating  all  of  the 
handlers  for  the  threaded  output  provider,  and  starting  the  threaded  output 
provider.  The  main  class  also  threads  and  starts  the  CyFiAJob  class.  This  creates  a 
thread-like  hierarchy,  although  child  threads  run  concurrently  even  with  their 
parents.  Child  threads  in  this  context  refer  to  the  threads  that  are  created  within 
the  “main”  function  or  from  other  threads.  Figure  4  shows  the  hierarchical  view  of 
threads  from  their  instantiation  in  CyFiA. 
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5.  0-0  and  D-A  Graph  Design  and  Implementation 


The  Solomon  engine  uses  advanced  data  fdtering  to  make  decisions.  As  described 
earlier,  it  performs  this  function  by  modeling  an  OODA  loop  using  2  graphs,  the 
0-0  graph  and  the  D-A  graph.  Beliefs,  plans,  and  goals  have  2  special  types  of 
values:  keys  and  attributes.  A  node  of  the  graph  will  not  be  created  unless  all  of 
the  keys  have  a  value,  but  attributes  can  remain  null.  In  addition,  a  key  for  a 
particular  node  can  be  an  attribute  for  another  node  and  vice  versa.  Using  a 
similar  design  to  the  Warfighter  Associate,  one  key  is  shared  by  all  beliefs,  plans, 
and  goals  for  the  purpose  of  ID.  This  key  is  named  “requestid”.  The  requestid  is 
particularly  useful  when  querying  specific  nodes  in  the  graph.  Links  and  monitors 
are  used  to  exchange  data  from  node  to  node  and  from  graph  to  graph, 
respectively.  Links  and  monitors  also  have  special  constraint  functions  that  act  as 
“if’  statements  to  determine  whether  a  link  or  monitor  should  be  traversed.  For 
example,  if  a  link  constraint  fails,  then  the  child  node  that  is  connected  to  the  link 
will  not  be  updated.  Link  constraints  work  the  same  way  for  monitors.  The  0-0 
graph  takes  on  a  very  hierarchical  form,  whereas  the  D-A  graph  has  3  distinct 
graph  sections  as  shown  in  Fig.  5.  The  first  section  of  the  D-A  graph  contains 
plans  and  goals  to  maintain  situational  awareness  (SA).  The  second  part  of  the 
D-A  graph  contains  plans  and  goals  to  complete  the  cyber  operation.  The  last 
division  of  the  D-A  graph  contains  plans  and  goals  to  execute  agility  maneuvers. 

D-A  Graph  Top 


Fig.  5  D-A  main  goals 

The  0-0  graph  has  4  base  beliefs:  Node  Health  Change,  Node  Capability  Update, 
Node  Geo  Update,  and  Node  Battery  Update.  These  4  basic  beliefs  were  created 
to  align  exactly  with  the  Socket  Listener  class.  Because  specific  information  is 
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passed  on  each  port,  it  makes  sense  to  have  individual  beliefs  corresponding  to 
each  individual  port.  For  example,  if  data  are  received  on  Port  3051,  a  Node 
Health  Change  belief  will  be  created  and  added  to  the  request  handler’s  queue. 
When  that  belief  is  taken  off  the  queue,  the  request  handler  will  see  it  as  an 
instance  of  Node  Health  Change  and  update  the  engine  with  the  proper  belief. 
This  makes  getting  information  into  the  0-0  graph  very  easy.  All  4  base  beliefs 
link  to  a  single  belief  called  “Node  Attribute  Update”. 

Node  Attribute  Update  is  the  largest  belief  in  terms  of  attributes  because  it  pools 
all  of  the  information  and  is  connected  to  2  monitors  and  3  child  beliefs.  The  most 
important  part  of  this  belief  is  the  monitors.  The  first  monitor  is  “Battery  Level 
Low”.  This  monitor  is  only  fired  if  a  Node  Battery  Update  was  received  and  the 
battery  level  received  was  below  a  threshold  of  25  (25%  of  battery  capacity).  If 
the  battery  level  drops  to  or  below  the  threshold  of  25  and  the  node  is  part  of  the 
critical  path,  then  a  request  would  be  sent  to  the  cost  program  for  a  new  critical 
path  because  it  is  possible  the  node  does  not  have  sufficient  battery  to  complete 
the  mission.  At  this  time,  this  agility  maneuver  is  not  implemented  but  could  be  in 
the  future. 

The  second  monitor  is  “Update  Graph  Information”.  This  monitor  is  very 
important  because  it  leads  to  the  SA  section  of  the  D-A  graph.  The  SA  subtree  of 
the  D-A  graph  is  a  rather  simple  but  very  important  part  of  the  CyFiA  because  it 
keeps  the  database  updated.  The  monitor  updates  the  plan  “Update  Node 
Healths”,  which  is  a  child  under  the  goal  “Database  Updated”.  The  Update  Node 
Healths  plan  is  where  the  “Update  Network  Health”  action  is  instantiated.  Every 
time  the  Update  Node  Healths  plan  is  updated,  the  Update  Network  Health  action 
is  executed.  Therefore,  the  only  time  the  plan  should  be  updated  is  when  there  is  a 
node  whose  health  has  changed  to  infected,  which  is  a  constraint  on  the  monitor 
Update  Graph  Information.  The  monitor  will  not  update  the  Update  Node  Healths 
plan  unless  the  current  node  being  handled  by  the  CyFiA  is  an  infected  node.  This 
prevents  unnecessary  runs  of  the  Update  Network  Health  action  and  limits  actions 
to  run  only  when  the  network  nodes’  health  need  to  be  changed.  An  example  of 
how  Update  Node  Health  interacts  is  shown  in  Fig.  6. 
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Belief-to-plan  flow 


The  need  for  Node  Attribute  Update  as  a  belief  is  not  really  required,  and  in  the 
future  it  will  be  removed  for  better  data-filtering  teehniques.  However,  the  belief 
does  have  3  ehild  beliefs,  all  with  eonditional  links  and  all  that  are  similar  in 
nature.  The  3  ehild  beliefs  are  “Node  Vulnerable”,  “Node  Suseeptible”,  and 
“Node  Infeeted”.  These  beliefs  are  exaetly  as  they  are  titled  and  are  traversed  only 
if  the  node  health  of  the  eurrent  node  being  handled  by  the  engine  matehes  the 
respeetive  belief  (so  a  vulnerable  node  will  eause  the  Node  Vulnerable  belief  to 
be  updated  but  none  of  the  others).  All  3  beliefs  have  their  own  separate  monitors 
that  eonneet  to  the  same  plan:  “Survive  Environment”.  However,  the  monitors  are 
different  in  terms  of  eonstraints.  The  initial  eonstraint  on  the  “Node  Health 
Change  Infeeted”  monitor  eaused  the  monitor  to  fire  even  if  the  belief  had  not 
been  updated.  This  would  eause  an  infinite  loop  and  a  redundaney  in  agility 
maneuvers  for  nodes  that  were  already  being  handled.  A  simple  query  was  added 
to  the  monitor  that  would  query  all  Node  Attribute  Update  beliefs  with  a  eurrent 
request  ID.  If  more  than  one  Node  Attribute  Update  exists  with  the  same  request 
ID,  then  the  monitor  will  not  be  traversed.  This  ends  the  infinite  loop.  The  other  2 
monitors  do  not  have  this  restrietion  beeause  the  walks  through  the  graph  when 
these  monitors  are  used  are  not  the  same  as  the  walk  when  Node  Health  Change 
Infeeted  is  fired.  In  addition,  all  3  of  the  node-health-ehange  monitors  eause 
notifieations  to  be  added  to  the  threaded  output  provider’s  notifieation  output 
queue  (as  shown  in  Fig.  7). 
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//  Checks  to  make  sure  monitor  has  necessary  keys  before  firing 
constraint  fire 

var  boolean  okayToUpdate; 
okayToUpdate  =  false; 

var  NodeAttributeUpdate  query  =  new  NodeAttributeUpdate() ; 
query . set Request Id (source . request Id ) ; 

var  List<NodeAttributeUpdate>  resultList  =  graph .find(query) ; 

if  (( source . nodeHealth . equalsIgnoreCase ( "inf ected ") )  &&  ( source . nodeld  !=  null) 

{ 

okayToUpdate  =  true; 

} 

return  okayToUpdate; 

} 

compute  updateAttributes 

target . mostRecentVulnerabilitySignature  =  source . vulnerabilitySignature; 

target . mostRecentVulnerabilityName  =  source . vulnName; 

target . mostRecentNodeld  =  source . nodeld; 

target . mostRecentAttackType  =  source . attackType; 

target . mostRecentOs  =  source. os; 

target . mostRecentRequestId  =  source . requestid; 

target . mostRecentNodeHealth  =  source . nodeHealth; 

target . mostRecentNodeCriticality  =  source . criticality ; 

target . mostRecentCapability  =  source . capability ; 

def aultUpdateAttributes ( )  ; 

} 

initialize  nodelsinf ected  myNotif ication 

//  Calling  the  def aultInitNotif ication  allows  us  to  get  the 

//  auto-generated  assignments. 

def aultInitNotif ication (myNotif ication ) ; 

//  Then  add  our  customized  assignments 

myNotif ication . notificationDescription  =  "Node  Infected"; 

System . out . print In ( "Notification  initialized"); 


Fig.  7  Node  health  change  “infected”  with  notification  example 

The  3  health  beliefs  are  the  last  beliefs  in  the  0-0  graph  that  are  not  singletons. 
Due  to  the  nature  of  the  simulation,  complexity  beyond  that  point  could  not  be 
added  without  further  research.  The  simulation’s  main  focus  was  to  show  agility 
maneuvers  in  the  event  that  any  particular  node  became  infected  by  a  malicious 
application;  so,  node  health  was  seen  as  the  most  important  characteristic  in  a 
node  and  also  as  the  only  beliefs  that  would  cause  agility  actions.  When  any  of 
these  3  beliefs  was  updated,  the  monitors  attached  to  these  beliefs  would  connect 
and  update  a  plan  in  the  D-A  graph.  Survive  Environment. 

Survive  Environment  is  the  parent  to  2  different  branches  of  a  tree,  the  left  and  the 
right.  The  left  branch  contains  agility  maneuvers,  and  the  right  branch  determines 
on  which  node  the  agility  maneuvers  are  performed.  In  its  initial  design,  the 
CyEiA  would  receive  an  infected  node-health  update  from  CyAMS.  It  would  then 
traverse  the  graph  to  perform  agility  maneuvers  on  that  node.  Eurther  discussion 
into  how  agility  was  to  be  implemented  and  the  overall  goal  of  agility  led  to  a  new 
implementation;  Instead  of  performing  agility  maneuvers  on  infected  nodes, 
agility  maneuvers  would  be  done  to  protect  critical  nodes  on  a  critical  path.  If  a 
critical  node  became  infected,  then  an  agility  maneuver  may  be  done  on  that  node, 
but  not  always  immediately.  Therefore,  the  right  branch  of  the  Survive 
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Environment  tree  is  always  traversed  first.  This  braneh  leads  to  a  plan  ealled 
“Seeure  Critieal  Path”.  In  this  plan,  the  aetion  “Cheek  Critieal  Nodes”  is  ereated 
and  sent  to  the  aetion  handler  for  exeeution.  Once  Check  Critical  Nodes  executes, 
a  new  Node  Attribute  Update  belief  is  made  and  added  to  the  Request  Handler 
class’s  belief  queue  to  be  pushed  to  the  engine.  The  new  belief  will  contain  the 
same  request  ID,  but  the  node  ID  and  node  health  will  be  different.  The  node  will 
also  be  critical  unless  all  of  the  nodes  along  the  critical  path  are  immune  to  the 
malicious  application.  The  Check  Critical  Nodes  action  will  not  select  another 
infected  node  even  if  a  critical  node  is  infected.  This  is  a  design  flaw  in  the  CyFiA 
and  will  be  fixed  in  future  iterations.  The  left  branch  of  the  Survive  Environment 
tree  is  not  traversed. 

At  this  point,  all  of  the  node  health  in  the  database  has  been  updated.  Although 
the  monitor  Update  Graph  Information  seems  as  if  it  could  be  linked  to  Node 
Infected,  this  could  possibly  cause  a  race  condition  between  it  and  Node  Health 
Change  Infected.  The  database  needs  to  be  updated  before  any  agility  maneuvers 
are  considered  because  if  the  database  does  not  have  up-to-date  health  for  all 
nodes,  then  selecting  a  node  on  which  to  perform  an  agility  maneuver  is  limited 
only  to  the  new,  infected  network  node.  Therefore,  the  Update  Graph  Information 
monitor  needs  to  fire  and  the  database  needs  to  be  updated  before  the  agility 
maneuver  occurs. 

Once  the  new  Node  Attribute  Update  is  pushed  into  the  engine,  the  belief  tree  is 
once  again  traversed,  but  this  time  no  monitors  connected  to  Node  Attribute 
Update  fire  because  of  constraints  on  those  monitors.  In  addition,  either  the  Node 
Susceptible  or  the  Node  Vulnerable  belief  will  be  updated.  These  beliefs  are 
exactly  the  same,  although  keeping  them  separate  helps  for  better  visualization 
and  neatness.  Both  beliefs  also  have  their  respective  monitors:  “Node  Health 
Change  Susceptible”  and  “Node  Health  Change  Vulnerable”.  These  monitors  are 
similar  to  the  Node  Health  Change  Infected  monitor  because  they  also  have 
notifications  that  are  created  and  output  when  the  monitor  is  fired.  Both  monitors 
also  target  the  Survive  Environment  plan.  When  Survive  Environment  is  updated 
by  Node  Health  Change  Susceptible  or  Node  Health  Change  Vulnerable,  the  left 
branch  of  the  Survive  Environment  tree  is  traversed  and  the  right  branch  is  not 
updated.  This  is  due  to  constraints  put  on  the  links  between  Survive  Environment 
and  each  branch.  The  link  between  the  left  branch  and  Survive  Environment 
checks  2  things:  the  current  node  and  the  critical  path.  The  link  will  only  be 
updated  if  the  current  node  ID  is  that  of  a  critical  node  or  if  every  node  in  the 
critical  path  is  immune.  The  database  provides  a  method  that  checks  every  node  in 
the  critical  path.  If  any  critical  node  does  not  have  an  immune  node  health,  then 
the  method  returns  false.  This  means  that  this  link  also  has  the  instance  of  the 
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database.  The  idea  behind  having  the  eonstraint  on  this  link  is  that  if  the  entire 
eritieal  path  is  immune,  then  it  should  not  matter  on  whieh  node  an  agility 
maneuver  is  performed  beeause  the  eyber  operation  will  be  sueeessful.  Therefore, 
if  a  new  infeeted  node  is  reeeived  from  CyAMS,  and  if  the  eritieal  path  is  seeured, 
agility  ean  be  done  direetly  on  that  node  immediately. 

The  left  braneh  begins  with  a  goal:  “PERFORMANCE  Eaeh  Thread  Managed”. 
This  goal  is  inspired  by  a  similar  goal  in  the  Warfighter  Assoeiate  with  the  same 
title.  Both  goals  have  a  similar  purpose  beeause  they  both  head  off  the  agility 
braneh  of  their  respeetive  programs.  The  ehild  plan  under  the  threat-management 
goal  is  “Agility  Maneuvers”,  whieh  has  spawned  2  trees.  Initial  design  of  the 
CyFiA  had  all  agility  maneuvers  grouped  under  one  general  goal,  but  seeondary 
design  divided  agility  maneuvers  into  2  elasses:  network  (Fig.  8)  and  software 
(Fig.  9).  This  design  allows  for  more  flexibility  when  determining  whieh  agility 
maneuvers  to  propose  to  a  user.  There  may  be  some  seenarios  in  whieh  software 
agility  is  impossible,  and  the  same  situation  is  true  for  network  agility.  By 
separating  them  into  subtrees,  only  one  eheek  is  needed  to  determine  whether 
software  or  network  or  both  types  of  agility  is  needed.  This  type  of  design  also 
allows  more  than  one  agility  maneuver  to  be  seleeted.  A  user  eould  deeide  to  do 
both  a  network  and  a  software  maneuver  to  seeure  the  eritieal  path  or  network. 
The  CyFiA  has  5  agility  maneuvers,  3  software  and  2  network,  although  only  4 
have  been  implemented.  In  the  CyFiA,  the  agility  maneuvers  are  aetions  that  are 
exeeuted  when  speeifie  plans  are  exeeuted. 
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Fig.  9  Cyber  Fighter  Associate  simulation  flow 
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Network  agility  is  agility  that  directly  affects  the  edges  and  shape  of  the  network 
graph.  In  the  CyFiA,  this  agility  set  contains  the  “IP  Block”  plan  and  the  “Change 
Critical  Path”  plan.  Network  agility  does  not  have  the  ability  to  change  a  node’s 
health  to  immune.  The  IP  blocking  is  an  agility  where  the  connection  between  one 
node  and  another  is  completely  severed.  In  the  simulation,  this  was  represented  by 
a  total  throughput  of  zero.  This  agility  maneuver  would  change  a  node’s  health 
from  susceptible  to  vulnerable.  Although  this  action  does  not  seem  to  solve  any 
problems  in  terms  of  security,  it  may  cost  less  in  terms  of  battery  and  time.  The  IP 
blocking  is  more  of  a  quick-fix  maneuver,  and  it  will  often  be  undone  after  a  node 
has  been  patched  or  healed.  Once  the  IP  Blockplan  is  updated,  the  “IP  Block 
Cost”  action  is  created  and  executed  by  the  actions  handler.  The  second  network- 
agility  maneuver,  the  Change  Critical  Path,  would  send  a  request  to  the  cost 
program  to  request  a  new  critical  path,  excluding  specific  nodes.  Initial  design  of 
the  CyFiA  would  request  a  critical  path  when  a  critical  node  became  infected  or 
when  a  critical-nodes  battery  fell  below  25%  capacity.  The  critical  path  could  not 
include  infected  nodes,  and  all  nodes  must  have  ample  battery  life.  (At  the  writing 
of  this  report,  pathing  algorithms  in  the  cost  program  were  not  complete; 
therefore,  this  agility  maneuver  was  left  for  future  work.) 

The  software-agility  walk  of  the  “PERFORMANCE  Each  Threat  Managed”  tree 
is  slightly  more  complex  than  the  network-agility  walk.  The  original  design  of  the 
CyEiA  had  a  Java  class  that  used  a  pseudorandom  generator  to  determine  whether 
a  patch  existed  and  returned  a  file  name  if  one  did.  During  the  course  of  this 
research,  the  team  abandoned  this  idea  and  the  class  was  deleted.  Instead,  a  patch 
file  was  created  on  the  goal  “Software  Secured”.  Using  the  engine’s  “onUpdate” 
method,  a  patch  file  name  and  size  are  set  as  attributes  inside  the  Software 
Secured  goal.  Both  the  patch  file  name  and  size  must  be  attributes  because  the 
goal  must  exist  (have  a  value  for  all  of  its  keys)  before  the  onUpdate  method  is 
called.  Otherwise,  the  goal  would  not  exist  and  all  child  software-agility 
maneuvers  would  not  exist.  After  a  patch  file  and  size  are  set,  the  Software 
Secured  goal  links  to  a  plan  “Secure  Software”. 

Secure  Software  branches  off  into  the  3  software-agility  maneuvers  “Wall- 
off/Quarantine  Eunction”,  “Heal  Software”,  and  “Patch  Pile”.  There  is  also  an 
action  that  lives  on  the  plan  Secure  Software,  “Start  Action  Sender”.  As  described 
earlier,  this  action  calls  the  “Automated  Action  Sender”  class  method 
getNumActions,  which  determines  how  many  agility  maneuvers  the  sender  is 
waiting  for  before  it  sorts  and  sends  the  lowest  cost  action  to  CyAMS.  This  action 
exists  here  because  of  the  way  the  graph  is  traversed  inside  the  engine.  Network- 
agility  maneuvers  are  always  traversed  first  in  a  post  order  fashion.  There  could 
already  be  one  agility  maneuver  in  the  sender  queue  by  the  time  the  total  number 
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of  actions  is  set,  but  this  is  not  a  problem  because  the  list  that  eontains  the 
maneuvers  must  be  equal  to  the  number  of  actions  for  the  Automated  Action 
Sender  to  start  the  sending  proeess.  The  number  of  notions  is  initially  set  to  -1,  so 
the  sending  process  will  not  start  until  the  getNumActions  method  is  run  at  least 
once.  After  this,  the  action-list  size  will  always  be  equal  to  or  less  than  the  total 
number  of  actions.  The  getNumAotions  will  always  be  set  to  at  least  2  actions  or 
more.  In  the  simulation,  walling  off  a  funotion  and  healing  software  are  always 
possible  agility  tasks.  Therefore,  the  number  of  actions  could  always  be  expected 
to  be  at  least  2. 

The  software-agility  plans  for  walling  off/quarantining  a  funotion,  patch  file,  and 
software  healing  have  the  same  plans  as  those  for  the  network-agility  plans.  All  3 
functions  have  an  action  associated  with  obtaining  a  cost  from  the  cost  program  to 
associate  with  the  agility  maneuver.  Once  the  cost  is  received  by  the  action,  an 
“Automated  Aotion”  is  created  and  added  to  the  sender’s  queue.  Once  the  action- 
list  size  equals  the  number  of  actions  expected,  the  list  is  sorted  and  the  lowest 
eost  action  is  sent  back  to  CyAMS.  After  the  action  is  sent  to  CyAMS,  a  singleton 
belief  is  created,  depending  on  whether  the  maneuver  selected  was  network  or 
software,  and  then  the  database  is  updated  based  on  this  belief 

6.  Cyber  Fighter  Associate  Simulation 

Our  generic  simulation  begins  when  CyAMS  creates  a  network  of  10  generic 
nodes.  For  simplicity,  all  10  nodes  are  identieal.  Faets  about  the  10  nodes  are  sent 
to  the  cost  program  and  to  the  CyFiA.  The  CyFiA  adds  all  of  the  nodes  and  their 
attributes  to  the  database.  This  setup  is  eomplieated  by  the  fact  that  the 
information  from  CyAMS  comes  in  the  form  of  “request  ID,  node  ID,  edge 
endpoint,  throughput”.  The  edge  endpoint  is  the  node  ID  of  a  node  that  is 
conneeted  to  the  node  ID.  For  example,  if  {0,1,2,10}  was  received,  then  Node  1 
would  be  connected  to  Node  2  with  a  throughput  value  of  10.  This  means  that  on 
any  given  packet,  2  nodes  are  received.  The  CyFiA  will  add  a  node  to  the 
database  if  it  does  not  already  exist  in  the  database.  In  addition,  the  CyFiA  will 
add  a  eonnection  to  a  node’s  connection  list  if  that  node  is  not  already  connected 
to  the  edge  endpoint.  After  all  10  nodes  are  added,  a  start  node  and  an  end  node 
for  a  eritieal  path  are  seleeted  in  CyAMS.  The  start  and  end  nodes  are  sent  to  the 
cost  program  to  determine  the  best  critical  path.  Once  the  eritieal  path  is 
calculated  by  the  cost  program,  it  is  sent  to  CyAMS  and  to  the  CyFiA.  This 
changes  the  criticality  of  the  nodes  that  are  along  the  eritieal  path  inside  the 
database.  Once  this  is  complete,  the  assoeiate  is  ready  to  evaluate  agility 
maneuvers. 
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For  the  patching  mission  where  an  infected/vulnerable  node  is  discovered  in  the 
network,  the  state  of  a  randomly  selected  node  is  set  to  infected/vulnerable.  A 
randomly  selected  node  contains  the  patch  for  that  infection/vulnerability  and  the 
state  of  that  node  is  set  to  immune.  This  information  can  be  used  by  the  pathing 
algorithms  to  determine  the  best  way  to  patch  the  infected/vulnerable  node. 

There  are  many  different  ways  a  patch  file  could  be  distributed  in  the  network.  A 
patch  file  could  be  routed  to  a  node  using  nodes  that  have  the  best  throughput,  but 
it  could  also  be  routed  using  nodes  that  have  good  battery  budget.  The  pathing 
algorithms  had  not  yet  implemented  this  feature  into  the  cost  program,  so  it  was 
decided  the  path  would  be  an  arbitrary  attribute  and  kept  in  the  CyFiA  when  that 
option  is  added. 

After  the  initial  immune  node  is  selected,  an  initial  infected  node  is  selected.  The 
infected  node  is  infected  by  a  generic  malicious  application.  Once  this  node  is 
selected,  CyAMS  sends  data  to  the  CyFiA,  which  receives  this  information  on 
Port  3051.  The  information  comes  in  the  form  {request  ID,  node  ID,  node  health, 
attack  type,  vulnerability  signature}.  The  attack  type  and  vulnerability  signature 
are  attributes  used  to  provide  legible  output  to  a  user.  They  are  unimportant  in 
terms  of  the  simulation,  but  they  are  important  in  terms  of  the  agility.  The  node 
health  of  the  node  ID  is  infected.  This  information  is  received  by  the  CyFiA 
inside  the  Socket  Listener  class.  The  listener  creates  a  “Node  Health  Change” 
belief  for  the  new  infected  node  and  adds  it  to  the  request  handler’s  belief  queue. 
The  CyFiAJob  class  checks  the  belief  queue,  takes  the  belief  off  the  top  of  the 
queue,  and  updates  the  engine.  The  engine  updates  the  proper  belief.  Node  Health 
Change.  Then,  the  Node  Health  Change  updates  the  Node  Attribute  Update  belief. 
The  Update  Graph  Information  is  then  fired,  and  the  Update  Graph  Information 
updates  the  plan  Update  Node  Healths.  Then,  the  Update  Network  Health  action 
is  added  to  the  threaded  output  provider’s  action  queue  and  executed.  All  of  the 
nodes  in  the  network  now  have  updated  health  based  on  their  connections  in  the 
network. 

In  the  0-0  graph,  the  Node  Attribute  Update  links  to  the  Node  Infected  belief. 
The  Node  Health  Change  Infected  monitor  is  then  traversed,  updating  the  D-A 
plan  Survive  Environment.  The  constraint  that  connects  Survive  Environment  to 
PEREORMACE  Each  Thread  Managed  fails,  but  the  constraint  that  connects 
Survive  Environment  to  Secure  Critical  Path  succeeds  and  eventually  updates  the 
plan.  The  Check  Critical  Nodes  action  is  then  initialized  and  sent  to  the  actions 
handler.  The  action  handler  executes  the  action  and  creates  a  new  Node  Attribute 
Update  belief  for  a  critical  node  that  needs  to  be  secured  and  adds  that  belief  to 
the  request  handler’s  belief  queue.  CyPiAJob  takes  the  belief  off  the  top  of  the 
queue  and  updates  the  engine.  The  existing  Node  Attribute  Update  belief  is 
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updated  with  the  same  request  ID  as  before  but  with  a  different  node  health  and 
node  ID.  Both  monitors  linked  to  Node  Attribute  Update  are  not  fired  beeause  the 
eonstraints  fail.  Likewise,  the  eonstraint  to  update  the  Node  Infeeted  belief  fails; 
so,  it  is  not  updated.  Although  this  eonstraint  fails,  either  the  eonstraint  leading  to 
the  Node  Vulnerable  belief  or  the  constraint  leading  to  the  Node  Susceptible 
belief  is  satisfied  and  the  link  is  traversed.  A  monitor  is  then  fired  and  the  Survive 
Environment  plan  is  again  updated.  With  this  update,  the  constraint  on  the  link 
leading  to  the  Secure  Critical  Path  plan  fails  and  the  Secure  Critical  Path  subtree 
is  not  updated.  The  constraint  on  the  link  leading  to  the  agility  maneuvers  is 
successful  and  agility  begins. 

The  IP  Block  plan  adds  an  action  to  be  executed  by  the  action  handler.  The 
handler  executes  the  action  requesting  a  cost  for  IP  Blocking.  At  the  same  time, 
the  engine  has  started  traversing  the  software-agility  maneuver  tree.  The 
getNumActions  method  is  called,  and  the  number  of  expected  agility  actions  is  set 
inside  the  Automated  Action  Sender  class.  The  cost  program  sends  back  a  cost  for 
the  IP  Block  plan,  and  the  Automated  Action  is  added  to  the  action  list.  At  this 
time,  more  actions  are  simultaneously  added  to  the  action  handler’s  queue  to 
request  the  costs  for  patching,  software  healing,  and  function  quarantining.  After 
the  cost  program  sends  back  costs  for  all  4  agility  actions,  the  Automated  Action 
Sender  sorts  the  list  and  sends  the  action  at  the  beginning  of  the  list  to  CyAMS. 
After  the  agility  action  is  sent  to  CyAMS,  a  new  belief  is  created  depending  on 
the  nature  of  the  agility  (network  or  software),  and  the  database  is  updated  with  a 
new  node  health  for  the  node  being  handled.  The  process  then  repeats  until  all  of 
the  nodes  in  the  network  are  immune  to  the  malicious  application. 

7.  Considerations  and  Future  Work 


7.1  Considerations 

The  CyFiA’s  current  design  as  described  in  this  report  is  a  first  step  in  a  proof  of 
concept.  The  segmentation  of  the  programs  (CyAMS,  Cost,  and  Communication) 
presented  some  issues.  For  instance,  the  decision  to  use  UDP  as  a  way  to 
communicate  proved  to  be  simple  but  ineffective.  Cost  and  routing  data  could  be 
calculated  within  the  CyFiA;  at  least,  for  small  simulations.  This  could  eliminate 
any  overhead  with  sending  the  information  to  an  outside  program  for  calculation. 
However,  the  limit  on  the  size  of  networks’  simulation  in  which  CyFiA  could 
reasonably  handle  the  computation  is  unknown  at  this  time. 
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Another  major  issue  with  the  eurrent  CyFiA  implementation  is  that  it  is  erafted 
speeifioally  to  the  simulation.  Many  key  features  that  are  needed  for  sealability  as 
well  as  funetionality  were  exeluded.  As  explained  earlier,  there  is  no  way  to  alter 
the  eritieal  path  beeause  the  aetion  is  not  yet  implemented.  Pathing  algorithms 
never  reaehed  the  eapability  of  altering  the  eritieal  path,  and  no  aetion  was  written 
to  handle  sueh  risk.  Another  downfall  of  the  simulation  is  that  it  foeused  solely  on 
node  health.  This  made  eharaeteristies  of  nodes,  sueh  as  geographieal  loeation, 
nuanees  that  were  poorly  handled  by  the  CyFiA — if  the  eharaeteristies  were 
handled  at  all.  Although  the  database  does  have  methods  to  update  all  of  these 
features,  beliefs  were  not  ereated  to  sueoessfully  filter  the  data. 

Node  health  is  an  important  issue  on  its  own.  CyAMS  provided  only  one  kind  of 
attaek  in  the  form  of  an  infeetion/vulnerability.  Node  health  was  passed  through 
the  0-0  and  D-A  graphs  as  a  string  variable.  This  logieally  means  that  if  a  node 
was  to  beeome  immune  to  the  malieious  applieation,  then  it  eould  never  beeome 
infeeted  again.  However,  if  there  were  to  be  more  types  of  attaeks,  we  would  see 
that  the  node  would  be  immune  to  both  types  of  attaeks  despite  applying  agility 
for  only  one  attaek.  Therefore,  future  design  of  the  CyFiA  will  most  likely  keep 
pairs  of  <vulnerability,  health>  or  a  veetor  so  as  to  keep  traek  of  node  health. 

An  entire  segment  of  the  CyFiA  is  ineomplete.  The  “Complete  Mission”  subgraph 
of  the  D-A  graph  was  never  finished.  The  Complete  Mission  subgraph  is 
supposed  to  determine  whether  all  of  the  nodes  in  the  network  have  been  patehed; 
however,  this  was  seen  as  a  minor  funetion  at  the  time. 

7.2  Future  Work 

With  the  massive  amount  of  information  that  will  eventually  be  used  with  the 
CyFiA  in  mind,  a  Publish  and  Subseribe  Serviee  (PASS)  server  would  be  a  better 
option  for  supplying  input  to  the  assoeiate.  The  predeeessor  of  the  CyFiA,  the 
Warfighter  Assoeiate,  uses  a  PASS  server  to  supply  new  information,  and  it  is 
believed  that  this  method  will  work  equally  as  well  for  the  CyFiA. 

Future  work  to  the  CyFiA  will  also  inelude  improvement  to  the  0-0  graph  for 
better  data  filtering,  ineluding  the  implementation  of  geographie  updates,  battery- 
level  updates,  and  node-eapability  updates.  More  beliefs  will  be  needed  to  provide 
better  filtering.  The  Node  Attribute  Update  node  will  most  likely  be  deleted  and 
replaeed  by  many  beliefs.  The  “Complete  Mission”  part  of  the  D-A  graph  will 
also  be  eompleted.  In  addition,  reasonable  deeisions  for  the  CyFiA  need  to  be 
made  for  the  situations  when  no  new  information  is  available.  This  seetion  of  the 
D-A  graph  will  eventually  address  that  issue. 
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The  total  number  of  scenarios  the  CyFiA  can  handle  will  be  greatly  increased. 
Patching  is  not  the  only  cyber-agility  mission  that  should  be  addressed.  There  are 
quite  a  few  missions  that  will  be  researched  and  implemented  into  the  CyFiA  so 
that  agility  maneuvers’  costs  and  utility  can  be  evaluated  for  situations  as  they 
occur. 

The  CyFiA  will  also  be  outfitted  with  a  GUI  such  that  a  user  can  select  which 
agility  action  he  would  like  to  attempt.  This  would  coexist  with  the  CyFiA’s  true 
nature  of  supplying  suggested  courses  of  action  to  a  user  to  be  implemented 
instead  of  making  decisions  strictly  based  on  cost.  Implementing  this  type  of 
program  flow  would  require  more  beliefs  to  be  made  to  determine  whether  an 
action  had  been  successfully  completed.  Moreover,  a  failure-mode  agility 
operation  will  be  added  for  the  situation  in  which  no  agility  maneuvers  are 
successful  and  the  cyber  operation  has  no  chance  of  success.  Finally,  the  CyFiA 
will  be  changed  to  output  agility  proposals  instead  of  outputting  agility  actions. 
This  will  cut  the  CyFiA’s  ties  with  the  CyAMS’s  patching  simulation. 

8.  Conclusions 


The  CyFiA  is  a  decision-support  program  that  works  with  the  cyber-network 
modeling  and  simulation  system,  CyAMS.  The  CyFiA  proposes  agility 
maneuvers  to  a  user  based  on  cost  and  utility  of  the  maneuver  as  well  as  the 
network  and  node  facts.  The  control  flow  of  the  program  models  a  human  OODA 
loop.  The  OODA  loop  has  been  used  as  a  model  to  describe  decision-making  in 
military  environments,  making  it  a  reasonable  model  to  use  in  the  CyFiA.  The 
CyFiA  was  tested  to  accomplish  a  patch-management  mission  while  securing  a 
critical  path.  As  a  first  proof  of  concept  a  simulation  with  a  network  of  1 0  nodes 
and  4  possible  agility  maneuvers  were  used.  In  the  future  more  agility  maneuvers 
will  be  added  and  network  complexity  increased.  It  is  projected  that  a  tool  like 
CyFiA  will  provide  network  analysts  and  cyber  teams  with  a  decision  aid  to 
evaluate  and  apply  various  agility  maneuvers  while  accomplishing  cyber  missions 
in  a  fast-changing,  dynamic  environment. 


Approved  for  public  release;  distribution  is  unlimited. 

24 


9.  References 


1.  Smith  D.  The  pilot’s  associate  program,  [accessed  2014  Aug  4]. 
http://www.dms489.com/PA/PA  index.htmh  2004. 

2.  Buchler  N,  Marusich  L,  Sokoloff  S.  The  warfighter  associate:  decision- 
support  software  agent  for  the  management  of  intelligence,  surveillance,  and 
reconnaissance  (ISR)  assets.  Proceedings  of  SPIE  vol.  9079,  Ground/Air 
Multisensor  Interoperability,  Integration,  and  Networking  for  Persistent  ISR 
V;  2014  June  10. 

3.  Buchler  N,  Marusich  L,  Bakdash  J,  Sokoloff  S,  Hamm  R.  The  warfighter 
associate:  objective  and  automated  metrics  for  mission  command,  [accessed 
2014  Aug].  http://www.asinc.com/downloads/WA_Paper.pdf,  2013. 

4.  Erbs  A,  Marvel  L.  Cost  computations  for  cyber  fighter  associate.  Aberdeen 
Proving  Ground  (MD):  Army  Research  Laboratory  (US);  2015  May.  Report 
No.:  ARL-TN-0674. 

5.  Harman  D,  Brown  S,  Henz  B,  Marvel  L.  A  communication  protocol  for 
CyAMS  and  the  cyber  fighter  associate  interface.  Aberdeen  Proving  Ground 
(MD):  Army  Research  Laboratory  (US);  2015  May.  Report  No.  ARL-TN- 
0673. 

6.  Druzdzel  M,  Flynn  R.  Decision  support  systems.  In:  Encyclopedia  of  library 
and  information  science.  2nd  ed.  New  York  (NY):  Marcel  Dekker,  Inc.; 
2002. 


Approved  for  public  release;  distribution  is  unlimited. 


25 
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Appendix.  Code  Listing 


This  appendix  appears  in  its  original  form,  without  editorial  change. 
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CyberFighterAssociate.j ava  (main) 


package  com.asinc.cyfia; 
import  com.asinc.solomon.engine. Engine; 
import  eom.asine.solomon.engine.IOutputProvider; 
import  eom.asine.solomon.engine.ThreadedOutputProvider; 
import  oom.eyfia.kb.ExeeuteMission; 
import  java.io.PrintStream; 
publie  elass  CyberEighterAssoeiate 
{ 

publie  statie  void  main(String[]  args) 

{ 

Engine  theEngine  =  null; 

lOutputProvider  outputProvider  =  new  ThreadedOutputProvider("  output", 

20000); 

NotifieationHandler  =  new  NotilieationHandler(); 

ProposalHandler  =  new  ProposalHandler(); 

CyPiAJob  jobHandler  =  new  CyPiAJob(); 

AetionsHandler  aetionHandler  =  new  AetionsHandler(); 
outputProvider.setNotifieationListener(notifieationHandler); 
outputProvider.setProposalListener(proposalHandler); 
outputProvider.setAetionListener(  aetionHandler); 
theEngine  =  new  Engine("CyEiA  Test",  null,  outputProvider); 
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j  obHandler .  setEngine(theEngine) ; 
actionHandler.setEngine(theEngine); 
ExecuteMission  rootPlan  =  new  ExecuteMission(); 
rootPlan.setRole("Maintain  Capability"); 
theEngine.updateNode(rootPlan); 

Thread  jobs  =  new  Thread(j obHandler); 

Jobs.startQ; 

System.out.println("The  Engine  has  gotten  this  far"); 

} 

} 

AetionsHandler  .j  ava 

paekage  com.asinc.cyfia; 
import  com.asine.solomon.engine. Action; 
import  com.asine.solomon.engine. Engine; 
import  com.asine.solomon.engine. QueueEistener; 
import  com.cyfia.kb.BestThroughputCost; 
import  com.cyfia.kb.CheckCriticalNodes; 
import  com.cyfia.kb.HealSoftwareCost; 
import  com.cyfia.kb.IPBlockCost; 
import  com.cyfia.kb.NodeAttributeUpdate; 
import  com.cyfia.kb.StartActionSender; 
import  com.cyfia.kb.UpdateNetworkHealth; 
import  com.cyfia.kb.WallOffCost; 
import  java.io.IOException; 
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import  java.io.PrintStream; 

import  java.net.DatagramSocket; 

import  java.net.PortUnreachableException; 

import  java.util.ArrayList; 

import  java.util. Iterator; 

import  java.util. LinkedList; 

import  java.util. List; 

import  java.util. concurrent.BlockingQueue; 

public  class  ActionsHandler  implements  QueueListener<Action> 

{ 

Engine  engine  =  null; 

Database  database  =  Database. getlnstanceQ; 

RequestHandler  requestHandler  =  RequestHandler.getInstance(tbis. engine); 
String[]  parseString; 

List<AutomatedAction>  actionList  =  new  ArrayList<AutomatedAction>(); 

public  void  setEngine(Engine  e)  {this. engine  =  e;} 
public  void  process( Action  action) 

{ 

Request  request  =  new  Request(); 
if  ((action  instanceof  CbeckCriticalNodes)) 

{ 

System.out.println("Cbeck  Critical  Nodes  Executing"); 

CbeckCriticalNodes  grapbCbeck  =  (CheckCriticalNodes)action; 

Node  affectedNode  =  this. database. getNode(graphCheck.getNodeId()); 
List<Node>  connectionsList  =  affectedNode. getConnections(); 

Approved  for  public  release;  distribution  is  unlimited. 

30 


Iterator<Node>  listiter  =  connectionsList.iterator(); 
boolean  flag  =  false; 

while  (listlter.hasNextQ) 

{ 

Node  eritiealNode  =  (Node)listIter.next(); 


if  ((eritiealNode. getNodeCritiealityO)  && 

(!  eritiealNode. getNodeHealth().equalsIgnoreCase("immune"))) 

{ 

flag  =  true; 

NodeAttributeUpdate  nodeToUpdate  =  new  NodeAttributeUpdate(); 
nodeToUpdate.setNodeId(eritiealNode.getNodeId()); 
nodeToUpdate. setRequestId(graphCheek.getRequestId()); 

nodeToUpdate.setVulnerabilitySignature(graphCheek.getVulnerbilitySignature()); 
node!  oUpdate.  setAttaekT  ype(graphCheek.  getAttaekType()); 
nodeToUpdate. setNodeHealth(eritiealNode.getNodeHealth()); 

if  (this .requestHandler. queue. offer(nodeT oUpdate)) 

{ 

System.out.println("Added  NodeAttributeUpdate  belief  to  queue  for  node  "  + 
nodeToUpdate. getNodeldO); 

} 

else 

{ 

System.out.println("Failed  to  add  eritieal  belief  to  queue"); 

} 
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} 


} 

if(!flag) 

{ 

LinkedList<Node>  nodeList  =  this. database. getNodeList(); 
listiter  =  nodeList.  iterate  r(); 

while  (listlter.hasNextQ) 

{ 

Node  eritiealNode  =  (Node)listIter.next(); 

if  (eritiealNode. getNodeCritiealityO) 

{ 

NodeAttributeUpdate  nodeToUpdate  =  new  NodeAttributeUpdate(); 

nodeToUpdate.setNodeId(eritiealNode.getNodeId()); 

nodeToUpdate. setCapability(String.valueOf(eritiealNode.getCapMetrie())); 

nodeToUpdate.setRequestId(graphCheek.getRequestId()); 

nodeToUpdate.setAttaekType(graphCheek.getAttaekType()); 

nodeToUpdate.setVulnerabilitySignature(graphCheek.getVulnerabilitySignature() 

); 

nodeToUpdate.setNodeHealth(nodeToUpdate.getNodeHealth()); 

if  (this .requestHandler. queue. offer(nodeT oUpdate)) 

{ 

System.out.println("Added  NodeAttributeUpdate  belief  to  queue  for  node  "  + 
nodeToUpdate. getNodeldO); 
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} 

else 

{ 

System.out.println("Failed  to  add  eritical  belief  to  queue"); 

} 

} 

} 

} 

}  //  This  braeket  eloses  off  the  CheekCriticalNodes  aetion 

else  if  ((action  instanceof  UpdateNetworkHealth)) 

{ 

System.out.println("Update  Network  Health  Executing"); 
UpdateNetworkHealth  affectedNode  =  (UpdateNetworkHealth)action; 
Node  compNode  =  this. database. getNode(affectedNode.getNodeId()); 
Iterator<Node>  databaselter  =  this. database. getNodeList().iterator(); 
compNode. setNodeHealth(  affectedNode. getNodcHealthO); 

if  (affectedNode. getNodeHealth().equalsIgnoreCase("infected")) 

{ 

while  (databaselter.hasNextO) 

{ 
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Node  nodeToUpdate  =  (Node)databaseIter.next(); 


if  ((!nodeToUpdate.getNodeHealth().equalsIgnoreCase("immune"))  && 

(this. database. isConnected(compNode,  nodeToUpdate))  && 
(!nodeToUpdate.getNodeHealth().equalsIgnoreCase("infeeted"))) 

{ 

nodeToUpdate. setNodeHealth("suseeptible"); 

System.out.println("Changed  node  "  +  nodeToUpdate. getNodeId()  +  "  health  to 
+  nodeToUpdate. getNodeHealthO); 

} 

else  if  ((!nodeToUpdate.getNodeHealth().equalsIgnoreCase("Immune"))  && 
(!nodeToUpdate.getNodeHealth().equalsIgnoreCase("infeeted"))) 

{ 

nodeToUpdate. setNodeHealth("vulnerable"); 

System.out.println("Changed  node  "  +  nodeToUpdate. getNodeId()  +  "  health  to 
+  nodeToUpdate. getNodeHealthO); 

} 

} 

} 


}  //  This  bracket  closes  off  the  UpdateNetworkHealth  action 


else  if  ((action  instanceof  IPBlockCost)) 

{ 

System.out.println("IP  Block  Cost  Executing"); 
try 


Approved  for  public  release;  distribution  is  unlimited. 


{ 

DatagramSocket  socket  =  new  DatagramSoeket(3081); 

DatagramSoeket  sendSoeket  =  new  DatagramSoeket(3080); 

IPBloekCost  ipBloekCost  =  (IPBloekCost)action; 

request.ereateRequestForSend(ipBloekCost.getRequestId(), 
ipBloekCost.getStartNodeId(),  ipBloekCost.getEndNodeId(),  1,  O.OD,  false); 

this.requestHandler.sendRequest(request,  sendSoeket); 

System.out.println("Sent  request  for  IP  Bloek  Cost"); 

this.requestHandler.reoeiveRequest(sooket,  this.parseString); 

System.out.printlnC'Reeeived  eost  for  IP  Bloek"); 

if  (this.parseString  ==  null) 

{ 

return; 

} 

AutomatedAetion  aAetion  =  new  AutomatedAetion(); 

aAetion.setAetionAttributes(this.parseString[0],  this.parseString[l], 
this.parseString[2],  Double.valueOf(this.parseString[3]).doubleValue(),  "bloek"); 

this. aetionList.add(  aAetion); 

} 

eateh  (PortUnreachableException  e) 

{ 

e.printStaekTraeeO; 

} 

eateh  (lOException  e) 

{ 

e.printStaekTraeeO; 
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} 

catch  (Exception  e) 

{ 

e.printStackTraceO; 

} 

}  //  This  bracket  eloses  off  IPBloekCost  aetion 

else  if  ((aetion  instaneeof  WallOffCost)) 

{ 

System.out.println("Quarantine  Function  Cost  Executing"); 

try 

{ 

DatagramSocket  socket  =  new  DatagramSoeket(3081); 

DatagramSoeket  sendSoeket  =  new  DatagramSoeket(3080); 

WallOffCost  wallOffCost  =  (WallOffCost)aotion; 

request.oreateRequestForSend(wallOffCost.getRequestId(), 
wallOffCost.getNodeldO,  wallOffCost.getNodeId(),  2,  O.OD,  false); 

this.requestHandler.sendRequest(request,  sendSoeket); 

System.out.println("Sent  request  for  Wall  Off  Cost"); 

this.requestHandler.reoeiveRequest(sooket,  this.parseString); 

System.out.printlnC'Reeeived  eost  for  Walling  off); 

if  (this.parseString  ==  null) 

{ 

return; 
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} 


AutomatedAction  aAction  =  new  AutomatedAction(); 

aAction.setActionAttributes(this.parseString[0],  this.parseString[l], 
this.parseString[2],  Double.valueOf(this.parseString[3]).doubleValue(), 
"walloff); 

this. actionList.add(  aAction); 

} 

catch  (PortUnreachablcException  e) 

{ 

e.printStackTraceO; 

} 

catch  (lOException  e) 

{ 

e.printStackTraceO; 

} 

catch  (Exception  e) 

{ 

e.printStackTraceO; 

} 

}  //  This  bracket  closes  off  the  WallOffCost  action 

else  if  ((action  instanceof  BestThroughputCost)) 

{ 

System.out.println("Patch  Pile  Cost  Executing"); 

try 
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{ 

BestThroughputCost  bestThroughputCost  =  (BestThroughputCost)action; 

DatagramSocket  socket  =  new  DatagramSoeket(3081); 

DatagramSoeket  sendSoeket  =  new  DatagramSoeket(3080); 

request.ereateRequestForSend(bestThroughputCost.getRequestId(), 
bestXhroughputCost.getEndNodeldO,  bestThroughputCost.getStartNodeId(),  5, 
Double.valueOf(bestThroughputCost.getPatchSize()).doubleValue(),  false); 

this.requestHandler.sendRequest(request,  sendSoeket); 

System.out.println("Sent  request  for  Patehing  Cost"); 

this.requestHandler.receiveRequest(sooket,  this.parseString); 

System.out.printlnC'Reeeived  eost  for  patehing"); 

if  (this.parseString  ==  null) 

{ 

return; 

} 

AutomatedAction  aAetion  =  new  AutomatedAction(); 

aAetion.setActionAttributes(this.parseString[0] ,  this.parseString[  1  ] , 
this.parseString[2],  DoubIe.valueOf(this.parseString[3]).doubIeValue(),  "patch"); 

this. actionList.add(  aAetion); 

} 

catch  (PortUnreachableException  e) 

{ 

e.printStackXraceO; 

} 

catch  (lOException  e) 

{ 
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e.printStackTraceO; 

} 

catch  (Exception  e) 

{ 

e.printStackTraceO; 

} 

}  //  This  bracket  eloses  off  the  BestThroughputCost  action 

else  if  ((action  instanceof  HealSoftwareCost)) 

{ 

System.out.println("Heal  Software  Cost  Executing"); 

try 

{ 

HealSoftwareCost  healSoftwareCost  =  (HealSoftwareCost)aotion; 

DatagramSoeket  soeket  =  new  DatagramSocket(3081); 

DatagramSoeket  sendSocket  =  new  DatagramSocket(3080); 

request.createRequestEorSend(healSoftwareCost.getRequestId(), 
healSoftwareCost.getNodeldO,  healSoftwareCost.getNodeId(),  3,  O.OD,  false); 

this.requestHandler.sendRequest(request,  sendSocket); 

System.out.println("Sent  request  for  Heal  Software  Cost"); 

this.requestHandler.reoeiveRequest(sooket,  this.parseString); 

System.out.println("Received  eost  to  Heal  Software"); 

if  (this.parseString  ==  null) 

{ 
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return; 


} 

AutomatedAction  aAction  =  new  AutomatedAction(); 

aAetion.setActionAttributes(this.parseString[0],  this.parseString[l], 
this.parseString[2],  Double.valueOf(this.parseString[3]).doubleValue(),  "heal"); 

this.aetionList.add(aAetion); 

} 

eateh  (PortUnreaehableExeeption  e) 

{ 

e.printStaekXraeeO; 

} 

eateh  (lOExeeption  e) 

{ 

e.printStaekXraeeO; 

} 

eateh  (Exeeption  e) 

{ 

e.printStaekXraeeO; 

} 

}  //  Xhis  braeket  eloses  off  the  HealSoftwareCost  aetion 

else  if  ((aetion  instaneeof  StartAetionSender)) 

{ 

System.out.println("Aotion  Sender  Start  Exeeution"); 

StartAetionSender  StartAetionSender  =  (StartAetionSender)aetion; 
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AutomatedActionSender  automatedActionSender  = 
AutomatedActionSender.getInstance(this. engine); 

automatedAetionSender.setRequestId(startAetionSender.getRequestId()); 

automatedAetionS  ender .  getNuniAetions() ; 

} 

}  //  This  braeket  eloses  off  the  StartAetionSender  aetion 

} 

AutomatedAetion.j  ava 

paekage  eom.asine.eylia; 

publie  elass  AutomatedAetion 

{ 

private  String  requestid; 
private  String  startNodeld; 
private  String  endNodeld; 
private  String  aetionName; 
private  double  eost; 

publie  void  setAotionAttributes(String  requestid,  String  startNodeld,  String 
endNodeld,  double  eost.  String  aetionName) 

{ 

this. requestid  =  requestid; 
this. StartNodeld  =  startNodeld; 
this. endNodeld  =  endNodeld; 
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this. cost  =  cost; 

this.actionName  =  actionName; 

} 


public  String  getRequestId() 

{ 

return  this.requestid; 

} 

public  String  getStartNodeId() 

{ 

return  this.startNodeld; 

} 

public  String  getEndNodeId() 

{ 

return  this.endNodeld; 

} 

public  String  getActionName() 

{ 

return  this.aetionName; 

} 

publie  double  getCostQ 

{ 

return  this.eost; 
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} 


public  String  toString() 

{ 

String  str  =  this.requestid  +  +  this.startNodeld  +  +  this.actionName  +  + 

this.endNodeld; 

return  str; 

} 

} 

AutomatedActionSender.j  ava 

package  com.asinc.cyfia; 

import  com.asinc.solomon.engine. Engine; 

import  com.cyfia.kb.IPBlockSuccess; 

import  com.cylia.kb.IPblocked; 

import  com.cyfia.kb.SoftwareActionSuccess; 

import  com.cyfia.kb.SoftwareSecured; 

import  java.io.IOException; 

import  java.net.DatagramPacket; 

import  java.net.DatagramSocket; 

import  java.net.InetAddress; 

import  java.net.  SocketException; 

import  Java.net.UnknownHostException; 

import  Java.util.ArrayEist; 

import  java.util.Eist; 

import  Java.util.concurrent.BlockingQueue; 

public  class  AutomatedActionSender 

{ 

static  AutomatedActionSender  instance  =  null; 

private  static  Eist<AutomatedAction>  actionEist  =  new 

ArrayEist<AutomatedAction>(); 

private  static  int  numActions; 

private  String  requestid; 

private  static  Engine  engine  =  null; 

static  RequestHandler  requestHandler  =  RequestHandler.getlnstance(engine); 
public  static  AutomatedActionSender  getInstance(Engine  e) 
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{ 

if  (instance  ==  null) 

{ 

engine  =  e; 

instanee  =  new  AutomatedAetionSender(); 

} 

return  instanee; 

} 

publie  void  getNumAetions() 

{ 

SoftwareSeeured  query  =  new  SoftwareSeeured(); 

IPbloeked  query  1  =  new  IPbloeked(); 
query  1 .  setRequestId(this .  requestid) ; 
query .  setRequestId(  this .  requestid) ; 

List<SoftwareSeeured>  resultList  =  engine. find(query); 
List<IPbloeked>  resultListl  =  engine. find(queryl); 

if  ((resultList.sizeO  ==  1)  &&  (resultList l.size()  ==  1)) 

{ 

if  (((SoftwareSeeured)resultList.get(0)).getPatehFile()  !=  null)  { 
numAetions  =  4; 

} 

else 

{ 

numAetions  =  3; 

} 

} 

else 

{ 

numAetions  =  2; 

} 

aetionList.  elearO; 

} 

publie  void  setRequestId(String  requestid) 

{ 

this. requestid  =  requestid; 

} 

publie  statie  void  sendAotion(List<AutomatedAotion>  aetionList) 

{ 
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for  (int  i  =  0;i<  numActions;  i++) 

{ 

actionList.add((AutomatedAction)actionList.get(i)); 

} 

if  (actionList.sizeQ  ==  numActions) 

{ 

sortList(actionList); 

try 

{ 

DatagramSocket  socket  =  new  DatagramSocket(3012); 
byte[]  sendArray  =  new  byte[1024]; 

String  str  =  ((AutomatedAetion)actionList.get(0)).toString(); 
System.arraycopy(str.getBytes(),  0,  sendArray,  0,  str.length()); 

InetAddress  outgoingThreadAddress  =  InetAddress.getLocalHost(); 
DatagramPacket  sendPacket  =  new  DatagramPaeket(sendArray, 
sendArray. length,  outgoingThreadAddress,  3011); 

while  (Isocket.isClosedQ) 

{ 

soeket.  send(sendPacket); 
socket.closeO; 

} 

} 

cateh  (SoeketExeeption  e) 

{ 

e.printStaekTraeeO; 

} 

cateh  (UnknownHostException  e) 

{ 

e.printStaekTraeeO; 

} 

cateh  (lOException  e) 

{ 

e.printStaekTraeeO; 

} 

if 

(((AutomatedAction)actionList.get(0)).getAetionName0.equalsIgnoreCase("bloc 

k")) 

{ 

IPBlockSuceess  updateNode  =  new  IPBloekSueeessO; 

AutomatedAetion  action  =  (AutomatedAction)actionEist.get(O); 
updateNode. setRequestld(action.getRequestldO); 
updateNode. setlnfNode(action.getStartNodeldO); 
updateNode. setVulnNode(action.getEndNodeldO); 
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requestHandler.queue.add(updateNode); 

} 

else 

{ 

SoftwareActionSuccess  updateNode  =  new  SoftwareActionSuccess(); 
AutomatedAction  action  =  (AutomatedAction)actionList.get(O); 
updateNode. setRequestId(action.getRequestId()); 
updateNode. setNewImmNode(action.getEndNodeId()); 
requestHandler.queue.add(updateNode); 

} 


} 

} 

public  static  void  sortList(List<AutomatedAction>  list) 

{ 

if  (((AutomatedAction)list.get(0)).getCost()  > 

(( AutomatedAction)list.  get(  1 )).  getCost()) 

{ 

AutomatedAction  tempAction  =  (AutomatedAction)list.get(O); 
list.set(0,  (AutomatedAction)list.get(l)); 
list.set(l,  tempAction); 

} 

if  (((AutomatedAction)list.get(0)).getCost()  > 
((AutomatedAction)list.get(2)).getCost()) 

{ 

AutomatedAction  tempAction  =  (AutomatedAction)list.get(O); 
list.set(0,  (AutomatedAction)list.get(2)); 
list.set(2,  tempAction); 

} 

if  (((AutomatedAction)list.get(0)).getCost()  > 
((AutomatedAction)list.get(3)).getCost()) 

{ 

AutomatedAction  tempAction  =  (AutomatedAction)list.get(O); 
list.set(0,  (AutomatedAction)list.get(3)); 
list.set(3,  tempAction); 

} 

} 

} 

CyFiAJob.java 
package  com.asinc.cylia; 
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import  com.asinc.solomon.engine. Engine; 
import  java.util.ArrayList; 
import  java.util.List; 

import  java.util.concurrent.BlockingQueue; 

public  class  CyFiAJob  implements  Runnable 

{ 

private  RequestHandler  requestHandler  =  null; 
private  Engine  engine  =  null; 

Eist<Thread>  threadList  =  new  ArrayEist<Thread>(); 

public  CyEiAJobQ 

{ 

if  (this. requestHandler  ==  null) 

{ 

this. requestHandler  =  RequestHandler.getInstance(this. engine); 

} 

} 

public  RequestHandler  getRequestHandler() 

{ 

return  this. requestHandler; 

} 

public  void  setEngine(Engine  e) 

{ 

this. engine  =  e; 

} 

public  void  run() 

{ 

boolean  beginRun  =  true; 

Thread  sE5  =  new  Thread(new  SocketEistener(3041,  this. engine)); 
this .  threadEist .  add(sE5 ) ; 

Thread  sE6  =  new  Thread(new  SocketEistener(3081,  this. engine)); 
this .  threadList .  add(sE6) ; 

Thread  sLl  =  new  Thread(new  SocketListener(3061,  this. engine)); 
this .  threadList .  add(sL  1 ) ; 

Thread  sL2  =  new  Thread(new  SocketListener(3051,  this. engine)); 
this .  threadList .  add(sL2) ; 

Thread  sL3  =  new  Thread(new  SocketListener(3071,  this. engine)); 
this .  threadList .  add(sL3 ) ; 

Thread  sL4  =  new  Thread(new  SocketListener(3031,  this. engine)); 
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this .  threadList .  add(sL4) ; 


for  (Thread  t :  this. threadList) 

{ 

t.startO; 

} 

while  ((beginRun)  ||  (this.requestHandler.queue.size()  >  0)) 

{ 

if  (this.requestHandler.queue.sizeO  >  0) 

{ 

this .  requestHandler .  makeBelief(this .  engine) ; 

} 

} 

} 

} 

Database.) ava 

paekage  eom.asine.eyfia; 

//import  java.io.PrintStream; 
import  java.util. Iterator; 
import  java.util. LinkedList; 

//import  java.util. List; 

public  class  Database 

{ 

public  LinkedList<String>  criticalPath  =  new  LinkedList<String>(); 
private  LinkedList<Node>  nodcList  =  new  LinkedList<Node>(); 
int  numNodes  =  -1; 
static  Database  instance  =  null; 

public  static  Database  getlnstance() 

{ 

if  (instance  ==  null) 

{ 

instance  =  new  Database(); 

} 

return  instance; 
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} 


public  void  changeCriticalPath(LinkedList<String>  list) 

{ 

this.criticalPath.clearO; 
this.  criticalPath.  addAll(list); 

} 

public  void  changeCriticalPath(String  node,  int  index) 

{ 

this.eritiealPath.set(index,  node); 

} 

public  void  changeCriticalPath(LinkedList<String>  list,  int  startindex,  int 
endindex) 

{ 

if  ((startindex  >=  0)  &&  (endindex  >=  0)  &&  (startindex  !=  endindex)  && 
(endindex  >  startindex)) 

{ 

if  ((startindex  <  this.eriticalPath.size())  &&  (endindex  <  this.eritiealPath.size())) 

{ 

for  (int  i  =  startindex;  i  <  endindex;  i++) 

{ 

this.eritiealPath.set(i,  (String)list.get(i)); 

} 

} 

else 

{ 

System.out.println("Index  out  of  bounds.  Did  not  ereate  new  critieal  path."); 

} 

} 

else 

{ 

System.out.println("Invalid  indices  or  start  and  end  index  are  the  same."); 

} 

} 

public  void  printCriticalPath() 

{ 

Iterator<String>  iter  =  this.eriticalPath.iterator(); 
while  (iter.hasNextO) 
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{ 

System.out.println((String)iter.next()); 

} 

} 

public  void  printNodeList() 

{ 

Iterator<Node>  iter  =  this.nodeList.iterator(); 

while  (iter.hasNextO) 

{ 

System.out.println(((Node)iter.next()).getNodeId()); 

} 

} 

public  void  setTotalNodes(int  numNodes) 

{ 

if  (numNodes  >  0) 

{ 

this. numNodes  =  numNodes; 

} 

else 

{ 

System.out.printlnC'Cannot  make  network  of  0  or  negative  nodes"); 

} 

} 

publie  void  addNode(Node  node) 

{ 

this.nodeList.add(node); 

} 

public  void  updateNodeCapability(String  nodeld,  int  capability,  String  os) 

{ 

Iterator<Node>  listiterator  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

Node  nodeToUpdate  =  null; 

while  ((listIterator.hasNextO)  &&  (flag)) 

{ 

nodeToUpdate  =  (Node)listIterator.next(); 
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if  (nodeToUpdate.getNodeldO  ==  nodeld) 

{ 

flag  =  false; 

if  (capability  >=  0) 

{ 

nodeToUpdate.setCapabilityMetric(capability); 

} 

if  (os  !=  null) 

{ 

node!  oUpdate.  setOperatingSystem(os); 

} 

} 

} 

} 

public  void  updateNodeHealth(String  nodeld,  String  newHealth) 

{ 

Iterator<Node>  listiterator  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

Node  nodcToUpdate  =  null; 

while  ((listIterator.hasNextO)  &&  (flag)) 

{ 

nodeToUpdate  =  (Node)listIterator.next(); 

if  (nodeToUpdate.getNodeldO  ==  nodeld) 

{ 

nodeToUpdate. setNodeHealth(newHealth); 
flag  =  false; 

} 

} 

} 

public  void  updateNodeCriticality(String  nodeld,  boolean  newCriticality) 

{ 

Iterator<Node>  listiterator  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

Node  nodeToUpdate  =  null; 
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while  ((listlterator.hasNextQ)  &&  (flag)) 

{ 

nodeToUpdate  =  (Node)listIterator.next(); 

if  (nodeToUpdate.getNodeldO  ==  nodeld) 

{ 

nodeToUpdate. setNodeCriticality(newCriticality); 
flag  =  false; 

} 

} 

} 

publie  void  updateGeo(String  nodeld,  double  newLat,  double  newLon) 

{ 

Iterator<Node>  listiterator  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

Node  nodeToUpdate  =  null; 

while  ((listIterator.hasNextO)  &&  (flag)) 

{ 

nodeToUpdate  =  (Node)listIterator.next(); 

if  (nodeToUpdate.getNodeldO  ==  nodeld) 

{ 

nodeToUpdate. setGeo(newLat,  newLon); 
flag  =  false; 

} 

} 

} 

publie  void  updateBattery(String  nodeld,  int  total,  double  power,  double  transfer, 
double  reeeive) 

{ 

Iterator<Node>  listiterator  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

Node  nodeToUpdate  =  null; 

while  ((listIterator.hasNextO)  &&  (flag)) 

{ 

nodeToUpdate  =  (Node)listIterator.next(); 

if  (nodeToUpdate.getNodeldO  ==  nodeld) 

{ 
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if  (total  >=  0) 

{ 

node!  oUpdate.  setBatteryT  otal(total); 

} 

if  (power  >=  O.OD) 

{ 

nodeToUpdate.setBatteryPower(power); 

} 

if  (transfer  >=  O.OD) 

{ 

nodeT  oUpdate.  setBatteryT  ransfer(  transfer); 

} 

if  (reeeive  >=  O.OD) 

{ 

nodeToUpdate.setBatteryReeeive(reeeive); 

} 

flag  =  false; 

} 

} 

} 

publie  Node  getNode(String  nodelD) 

{ 

Iterator<Node>  listiterator  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

Node  nodeToGet  =  null; 

while  ((listIterator.hasNextO)  &&  (flag)) 

{ 

Node  eheekNode  =  (Node)listIterator.next(); 

if  (eheekNode. getNodeId().equals(nodeID)) 

{ 

nodeToGet  =  eheekNode; 
flag  =  false; 

} 

} 

return  nodeToGet; 
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} 


public  LinkedList<Node>  getNodcListQ 

{ 

return  this.nodeList; 

} 

public  boolean  isConnected(Node  a,  Node  b) 

{ 

if  (a. getConneetions(). contains(b)) 

{ 

return  true; 

} 

return  false; 

} 

public  boolean  isCritieal(Node  a) 

{ 

return  a.getNodeCritieality(); 

} 

public  boolean  eheeklmmunity() 

{ 

Iterator<String>  listiter  =  this.eritiealPath.iterator(); 
Iterator<Node>  nodelter  =  this.nodeList.iterator(); 
boolean  flag  =  true; 

while  (listlter.hasNextQ  &&  nodeIter.hasNext()  &&  (flag)) 

{ 

Node  eheckNode  =  (Node)nodeIter.next(); 

if  ((eheekNode.getNodeldO  ==  listiter. next())  && 
(!(cheekNode.getNodeHealth().equalsIgnoreCase("immune")))) 
{ 

flag  =  false; 

} 

} 

return  flag; 

} 

public  void  addConnection(Node  a,  String  nodeld) 

{ 
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a.setConnections(getNode(nodeId)); 

} 


public  LinkedList<String>  getInfected(String  nodeld) 

{ 

LinkedList<String>  resultList  =  new  LinkedList<String>(); 
Iterator<Node>  listiter  =  this.nodeList.iterator(); 

while  (listlter.hasNextQ) 

{ 

Node  InfNode  =  (Node)listIter.next(); 

if  ((InfNode. getNodeHealth().equalsIgnoreCase("infeeted"))  && 
(!infNode.getNodeId().equalsIgnoreCase(nodeId))) 

{ 

resultList .  add(infNode .  getNodeId()) ; 

} 

} 

return  resultList; 

} 

publie  LinkedList<String>  getlmmune() 

{ 

LinkedList<String>  resultList  =  new  LinkedList<String>(); 
Iterator<Node>  listiter  =  this.nodeList.iterator(); 

while  (listIter.hasNextO) 

{ 

Node  immNode  =  (Node)listIter.next(); 

if  (immNode. getNodeHealth().equalsIgnoreCase("immune"))  {} 
resultList .  add(immNode .  getNodeId()) ; 

} 

return  resultList; 

} 

publie  boolean  eritiealPathPatehed() 

{ 

Iterator<String>  eritPathIt  =  this.eritiealPath.iterator(); 
boolean  flag  =  true; 

while  ((eritPathIt.hasNextO)  &&  (flag)) 
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{ 

String  str  =  (String)critPathIt.next(); 

Node  checkNode  =  getNode(str); 

if  (!  checkNode. getNodeHealth().equalsIgnoreCase("immune")) 

{ 

flag  =  false; 

} 

} 

return  flag; 

} 

public  void  removeConnections(String  infNode,  String  vulnNode) 

{ 

Node  node  =  getNode(infNode); 

Node  nodel  =  getNode(vulnNode); 
node.removeConnection(node  1 ); 
nodel  .removeConnection(node); 

} 

} 

Node.java 

package  com.asinc.cylia; 
import  java.util.ArrayList; 
import  java.util.List; 

public  class  Node 

{ 

private  String  nodeld; 
private  String  operatingSystem; 
private  String  nodcHealth; 
private  int  capabilityMetric; 
private  double[]  geo  =  new  double[2]; 
private  int  batteryXotal  =  100; 
private  double  batteryPower  =  lOO.OD; 
private  double  computationRate; 
private  double  batteryTransferRate; 
private  double  batteryReceivcRate; 

private  List<Node>  connections  =  new  ArrayList<Node>(); 
private  boolean  originNode  =  false; 
private  boolean  nodeCriticabty  =  false; 


Approved  for  public  release;  distribution  is  unlimited. 


56 


public  void  setNodeId(String  nodeld) 

{ 

this. nodeld  =  nodeld; 

} 

public  void  setOperatingSystem(String  os) 

{ 

this.operatingSystem  =  os; 

} 

public  void  setNodeHealth(String  nodeHealth) 

{ 

this. nodeHealth  =  nodeHealth; 

} 

public  void  setNodeCriticality(boolean  criticality) 

{ 

this.nodeCriticality  =  criticality; 

} 

public  void  setCapabilityMetric(int  cap) 

{ 

this.capabilityMetric  =  cap; 

} 

public  void  setGeo(double  lat,  double  Ion) 

{ 

this.geo[0]  =  lat; 
this.geo[l]  =  Ion; 

} 

publie  void  setBatteryTotal(int  batTotal) 

{ 

this.batteryTotal  =  batTotal; 

} 

public  void  setBatteryPower(double  batPower) 

{ 

this.batteryPower  =  batPower; 

} 

public  void  setCompRate(double  compRate) 

{ 

this.computationRate  =  compRate; 

} 
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public  void  setBatteryTransfer( double  btr) 

{ 

this.batteryTransferRate  =  btr; 

} 

public  void  setBatteryReceive(double  brr) 

{ 

this.batteryReceiveRate  =  brr; 

} 

public  void  setConnections(Node  a) 

{ 

if  ((a  !=  null)  &&  (this. connections  !=  null)) 

{ 

this. connections. add(a); 

} 

} 

public  void  setOriginNode() 

{ 

this.originNode  =  true; 

} 

publie  void  removeConneotion(Node  a) 

{ 

this.oonneotions.remove(a); 

} 

publie  String  getNodeId() 

{ 

return  this.nodeld; 

} 

publie  String  getOperatingSystem() 

{ 

return  this.operatingSystem; 

} 

public  String  getNodeHealth() 

{ 

return  this.nodeHealth; 

} 

publie  boolean  getNodeCritiealityO 
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{ 

return  this.nodeCriticality; 

} 


public  int  getCapMetric() 

{ 

return  this.capabilityMetric; 

} 

public  int  getBatteryTotal() 

{ 

return  this.batteryTotal; 

} 

public  double  getBatteryPower() 

{ 

return  this.batteryPower; 

} 

public  String  getGeo() 

{ 

String  str  =  new  String("<"  +  this.geo[0]  +  ",  "  +  this.geo[l]  + 
return  str; 

} 

public  double  getCompRate() 

{ 

return  this.computationRate; 

} 

public  double  getBatTrans() 

{ 

return  this.batteryXransferRate; 

} 

public  double  getBatRec() 

{ 

return  this.batteryReceivcRate; 

} 

public  List<Node>  getConnections() 

{ 

return  this. connections; 

} 

public  boolean  getOriginNodeQ 
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{ 

return  this.originNode; 

} 


public  boolean  isConnected(Node  a) 

{ 

if  ((a  ==  null)  II  (this. connections  ==  null)) 

{ 

return  false; 

} 

return  this. connections. contains(a); 

} 

} 

NotificationHandler.j  ava 

package  com.asinc.cyfia; 

import  com.asinc.solomon.engine.Notification; 
import  com.asinc.solomon.engine.QueucListener; 
import  com.cyfia.kb.nodelsinfected; 
import  com.cyfia.kb.nodelsSusceptible; 
import  com.cyfia.kb.nodelsVulnerable; 
import  com.cyfia.kb.requestCreated; 
import  java.io.PrintStream; 

public  class  NotificationHandler  implements  QueueListener<Notification> 

{ 

public  void  process(Notilication  notification) 

{ 

System.out.println("The  Notification  Handler  has  started"); 
System.out.println("The  thread  is:  "  +  Thread. currentThread()); 

if  ((notification  instanceof  nodelsVulnerable)) 

{ 

nodelsVulnerable  myNotification  =  (nodelsVulnerable)notification; 
System.out.println("\n"  +  myNotification.getNotificationDescription()); 
System.out.println("Node  ID:  "  +  myNotification.getNodeId()); 
System.out.println("Node's  health  has  changed  to:"  + 
myNotification.getNodcHealthO); 

} 

else  if  ((notification  instanceof  nodelsinfected)) 

{ 
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nodelsinfected  myNotification  =  (nodelslnfected)notification; 
System.out.println("\n"  +  myNotification.getNotificationDescription()); 
System.out.println("Node  ID;  "  +  myNotification.getNodeId()); 
System.out.println("Node's  health  has  changed  to:  "  + 
myNotification.getNodeHealthO); 

} 

else  if  ((notification  instanceof  nodelsSusceptible)) 

{ 

nodelsSusceptible  myNotification  =  (nodelsSusceptible)notification; 
System.out.println("\n"  +  myNotification.getNotificationDescription()); 
System.out.println("Node  ID;  "  +  myNotification.getNodeldO); 
System.out.println("Node's  health  has  changed  to:  "  + 
myNotification.getNodeHealthO); 

} 

else  if  ((notification  instanceof  requestCreated)) 

{ 

requestCreated  myNotification  =  (requestCreated)notification; 
System.out.println(myNotification.getNotificationDescription()); 

} 

} 

} 

PatchFile.java 

package  com.asinc.cyfia; 

import  java.util. Random; 

public  class  PatchFile 

{ 

protected  String  patchFile; 
protected  float  patchSize; 
protected  String  originNode; 

Random  rand  =  new  Random(); 

public  PatchFileO 

{ 

this.patchFile  =  "Chicken  Noodle  Soup.forthecomputersoul"; 
this.patchSize  =  this.rand.nextFloat(); 

} 

public  String  getPatchFile() 

{ 

return  this.patchFile; 

} 
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public  float  getPatchSizeQ 

{ 

return  this.patchSize; 

} 

} 

ProposalHandler.j  ava 

package  com.asinc.cyfia; 

import  com.asinc.solomon.engine.Plan; 
import  com.asinc.solomon.engine.QueueListener; 
import  com.cyfia.kb.BlocklP; 
import  com.cyfia.kb.HealSoftware; 
import  com.cyfia.kb.PatchFile; 

public  class  ProposalHandler  implements  QueueListener<Plan> 

{ 

public  void  process(Plan  plan) 

{ 

//if  (!(plan  instanceof  PatchFile)) 

{ 

//if  (!(plan  instanceof  BlockIP)) 

{ 

//  (plan  instanceof  HealSoftware); 

} 

} 

//  I'm  not  sure  if  I  used  this  for  anything.  I  think  at  some  point  I  decided  proposals 
were  not  needed  because  the  simulation  was  completely  autonomous 

Request.)  ava 

package  com.asinc.cyfia; 

import  java.io.PrintStream; 

public  class  Request 

{ 

private  String  requestid  =  null; 
private  String  startNodeld  =  null; 
private  String  endNodeld  =  null; 
private  double  patchSize  =  O.OD; 
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private  int  planNum; 
private  boolean  isBat  =  false; 


public  void  createRequestForSend(String  requestid,  String  startNodeld,  String 
endNodeld,  int  planNum,  double  patchSize,  boolean  battery) 

{ 

if  ((planNum  >=  1)  &&  (planNum  <=  5)) 

{ 

this. requestid  =  requestid; 
this. StartNodeld  =  startNodeld; 
this. endNodeld  =  endNodeld; 
this.patchSize  =  patchSize; 
this.planNum  =  planNum; 
this.isBat  =  battery; 

} 

else 

{ 

System.out.println("Plan  index  out  of  bounds"); 

} 

} 

public  String  getRequestId() 

{ 

return  this. requestid; 

} 

public  String  getStartNodeId() 

{ 

return  this. startNodeld; 

} 

public  String  getEndNodeId() 

{ 

return  this. endNodeld; 

} 

public  double  getPatchSize() 

{ 

return  this.patchSize; 

} 

public  int  getPlanNum() 

{ 

return  this.planNum; 
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} 

public  Request  getRequest() 

{ 

return  this; 

} 


publie  boolean  getIsBat() 

{ 

return  this.isBat; 

} 

publie  String  toString() 

{ 

String  str  =  this.requestid  +  +  this.startNodeld  +  +  this.endNodeld  +  + 

this.planNum  +  +  this.patehSize  +  +  this.isBat; 

return  str; 

} 

} 

RequestHandler.j  ava 

paekage  eom.asine.eylia; 

import  oom.asino.solomon.engine. Engine; 

import  oom.asino.solomon.engine.Node; 

import  oom.eyfia.kb.IPBlookSuoeess; 

import  oom.eyfia.kb.NodeAttributeUpdate; 

import  eom.eyfia.kb.NodeBatteryUpdate; 

import  oom.eyfia.kb.NodeCapabilitiesUpdate; 

import  eom.eyfia.kb.NodeGeoUpdate; 

import  oom.eyfia.kb.NodeHealthChange; 

import  oom.eyfia.kb.SoftwareAotionSuoeess; 

import  java.io.IOExeeption; 

import  java.io.PrintStream; 

import  java.net.DatagramPaeket; 

import  java.net.DatagramSoeket; 

import  java.net.InetAddress; 

import  java.net.PortElnreaohableExoeption; 

import  j  ava.net.  SoeketT  ImeoutExeeption; 

import  java.util.EinkedList; 

import  java.util.oonourrent.BloekingQueue; 

import  java.util.oonourrent.EinkedBlookingQueue; 

publie  elass  RequestHandler 
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{ 

BlockingQueue<Request>  requestQueue  =  new 
LinkedBlockingQueue<Request>(); 

BlockingQueue<Node>  queue  =  new  LinkedBloekingQueue<Node>(); 
statie  RequestHandler  instanee  =  null; 

Database  database  =  Database. getlnstaneeQ; 
statie  Engine  engine  =  null; 

publie  statie  RequestHandler  getInstanee(Engine  e) 

{ 

if  (instanee  ==  null) 

{ 

engine  =  e; 

instanee  =  new  RequestHandler(); 

} 

return  instanee; 

} 

publie  void  makeBelief(Engine  engine) 

{ 

try 

{ 

if  ((this.queue.peekO  instaneeof  NodeAttributeEipdate)) 

{ 

NodeAttributeEipdate  belief  =  (NodeAttributeUpdate)this.queue.take(); 
engine.updateNode(belief); 

} 

else  if  ((this.queue.peekO  instaneeof  NodeCapabilitiesUpdate)) 

{ 

NodeCapabilitiesUpdate  belief  =  (NodeCapabilitiesUpdate)this.queue.take(); 
engine.updateNode(belief); 

} 

else  if  ((this.queue.peekO  instaneeof  NodeHealthChange)) 

{ 

NodeHealthChange  belief  =  (NodeHealthChange)this.queue.take(); 
engine.updateNode(belief); 

} 

else  if  ((this.queue.peekO  instaneeof  IPBlockSueeess)) 

{ 

IPBloekSueoess  belief  =  (IPBloekSueeess)this.queue.take(); 
engine.updateNode(belief); 

} 

else  if  ((this.queue.peekO  instaneeof  SoftwareAetionSueeess)) 
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{ 

SoftwareActionSuccess  belief  =  (SoftwareAetionSueeess)this. queue. takeQ; 
engine.updateNode(belief); 

} 

else  if  ((this. queue. peek()  instaneeof  NodeGeoUpdate)) 

{ 

NodeGeoUpdate  belief  =  (NodeGeoUpdate)this.queue.take(); 
engine.updateNode(belief); 

} 

else  if  ((this. queue. peek()  instaneeof  NodeBatteryUpdate)) 

{ 

NodeBatteryUpdate  belief  =  (NodeBatteryUpdate)this.queue.take(); 
engine.updateNode(belief); 

} 

} 

catch  (InterruptedException  e) 

{ 

e.printStackTraceO; 

} 

} 

public  void  sendRequest(Request  r,  DatagramSocket  outputSocket) 

{ 

try 

{ 

outputSocket.setSoTimeout(  15000); 

String  str  =  r.toString(); 

byte[]  sendArray  =  new  byte[1024]; 

System.arraycopy(str.getBytes(),  0,  sendArray,  0,  str.length()); 

InetAddress  outgoingThreadAddress  =  InetAddress.getLocalHost(); 
DatagramPacket  sendPacket  =  new  DatagramPacket(sendArray, 
sendArray.length,  outgoingThreadAddress,  3082); 

while  (!outputSocket.isClosed()) 

{ 

outputSocket.send(sendPacket); 

System.out.println("Sent  string:  "  +  str); 
outputSocket.closeO; 

} 

} 

catch  (SocketTimeoutException  e) 
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{ 

e.printStackTraceO; 

} 

catch  (PortUnreachableException  e) 

{ 

e.printStackTraceO; 

} 

eateh  (lOExeeption  e) 

{ 

e.printStaekTraeeO; 

} 

eateh  (Exeeption  e) 

{ 

e.printStaekTraeeO; 

} 

} 

public  void  receiveRequest(DatagramSocket  inputThreadSocket, 
EinkedList<String>  list,  String  endNode,  String[]  parseString) 

{ 

try 

{ 

System.out.println("Request  listener  listening  on  port  3081"); 

inputThreadSooket.setSoTimeout(15000); 

byte[]  reeeivedData  =  new  byte[1024]; 

DatagramPaeket  reeeivedPaeket  =  new  DatagramPaeket(reeeivedData, 
reeeivedData.length); 

while  ( ! inputThreadSoeket.isClosedO) 

{ 

inputThreadSoeket.reeeive(receivedPaeket); 

String  rDataString  =  receivedData.toStringO; 
parseString  =  rDataString.split(","); 

System.out.println(parseString); 

if  ( !  list.eontains(parseString[  1  ])) 

{ 

list.add(parseString[  1  ]); 

} 

if  (!list.eontains(parseString[2])) 

{ 

list.add(parseString[2]); 

} 


Approved  for  public  release;  distribution  is  unlimited. 


67 


if  (list.contains(endNode)) 

{ 

inputThreadSocket.close(); 

} 

} 

} 

catch  (Socket! imeoutException  e) 

{ 

e.printStackTraceO; 

} 

catch  (PortUnreachableException  e) 

{ 

e.printStackTraceO; 

} 

catch  (lOException  e) 

{ 

e.printStackTraceO; 

} 

catch  (Exception  e) 

{ 

e.printStaekTraeeO; 

} 

} 

publie  void  reoeiveRequest(DatagramSocket  inputXhreadSoeket,  String[] 
parseString) 

{ 

try 

{ 

System.out.println("Request  listener  listening  on  port  3081"); 

inputThreadSooket.setSoTimeout(15000); 

byte[]  receivedData  =  new  byte[1024]; 

DatagramPacket  receivedPacket  =  new  DatagramPaeket(receivedData, 
reeeivedData.length); 

while  ( ! inputXhreadSoeket. isClosedO) 

{ 

inputThreadSoeket.receive(receivedPacket); 

String  rDataString  =  reeeivedData.toStringO; 
parseString  =  rDataString.split(","); 
inputXhreadSoeket.closeO; 

} 

} 
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catch  (Socket! imeoutException  e) 

{ 

e.printStackTraceO; 

} 

catch  (PortUnreachableException  e) 

{ 

e.printStackTraceO; 

} 

cateh  (lOException  e) 

{ 

e.printStaekTraceO; 

} 

eatch  (Exception  e) 

{ 

e.printStackTraeeO; 

} 

} 

} 

SoeketEistener.j  ava 

package  com.asinc.eyfia; 

import  com.asinc.solomon.engine. Engine; 
import  com.cyfia.kb.NodeBatteryEipdate; 
import  eom.cyfia.kb.NodeCapabilitiesUpdate; 
import  com.cyfia.kb.NodeGeoUpdate; 
import  com.cyfia.kb.NodeHealthChange; 
import  java.io.IOExeeption; 
import  java.io.PrintStream; 
import  java.net.DatagramPacket; 
import  java.net.DatagramSoeket; 
import  java.net.PortUnreaehableException; 
import  j  ava.net.  Socket!  imeoutExeeption; 
import  java.util.ArrayEist; 
import  java.util.EinkedList; 
import  java.util.Eist; 

import  java.util.eoneurrent.BlockingQueue; 

publie  elass  SocketEistener  implements  Runnable 

{ 

private  int  port; 

statie  Eist<String>  critiealNodeEist  =  new  ArrayEist<String>(); 
Engine  engine; 
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private  String  inData  =  null; 

private  String  delims  = 

private  String[]  tokens  =  null; 

private  statie  final  int  MAXREADSIZE  =  2048; 

int  count  =  0; 

RequestHandler  queue  =  RequestHandler.getInstance(this. engine); 
Database  database  =  Database. getlnstanceQ; 

public  SocketListener(int  port,  Engine  e) 

{ 

this.port  =  port; 
this. engine  =  e; 

} 

public  void  setEngine(Engine  e) 

{ 

this. engine  =  e; 

} 


public  void  run() 

{ 

boolean  run  =  true; 

try 

{ 

System.out.println("The  listener  has  started.  Trying  to  listen  on  port;  "  + 
this.port); 

DatagramSocket  listenSocket  =  new  DatagramSocket( this.port); 
listenSocket.setReceiveBufferSize(lOOOOOOOOO); 
listenSocket.  setSoT  imeout(  1 20000); 

System.out.printlnC'Successfully  started  listening  on  port:  "  +  this.port); 
byte[]  receivedData  =  new  byte[2048]; 

DatagramPacket  receivedPacket  =  new  DatagramPacket(receivedData, 
receivedData.length); 

while  (run) 

{ 

listenSocket.receive(receivedPacket); 

System.out.println("Received  data  on  port:  "  +  this.port  +  "!"); 

if  ((this.port  ==  3061)  &&  (receivedData.length  !=  0)) 

{ 

setlnData(receivedPacket); 

NodeCapabilitiesElpdate  nodcToElpdate  =  new  NodeCapabilitiesElpdate(); 

nodeToUpdate.setRequestId(this.tokens[0]); 

node!  oElpdate.  setNodeId(this  .tokens  [  1  ]); 

nodeToUpdate.setCapability(this.tokens[2]); 

nodeToUpdate.setOs(this.tokens[3]); 
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if  (nodeToUpdate.getRequestldQ  !=  null) 

{ 


if  (this .  queue .  queue .  o  ffer(nodeT oUpdate)) 

{ 

System.out.println(" Added  a  belief  to  the  queue."); 

} 

else 

{ 

System.out.println("Failed  to  add  belief  to  queue"); 

} 

} 

else 

{ 

System.out.println("Failed  to  make  belief:  Node  Capability  Update"); 

} 

} 

else  if  ((this.port  ==  3051)  &&  (receivedData. length  !=  0)) 

{ 

setlnData(reeeivedPaeket); 

NodeHealthChange  nodeHealthChange  =  new  NodeHealthChange(); 
nodeHealthChange.setRequestId(this.tokens[0]); 
nodeHealthChange.setNodeId(this.tokens[l]); 
nodeHealthChange. setNodeHealth(  this. tokens[2]); 
nodeHealthChange.  setAttackT  ype(this  .tokens  [3  ]); 
nodeHealthChange. setVulnerabilitySignature(this.tokens[4]); 
if  ((nodeHealthChange. getRequestIdO  !=  null)  && 
(nodeHealthChange. getNodeHealthO  !=  null)  && 
(nodeHealthChange. getAttackTypeO  !=  null)) 

{ 

if  (this .  queue .  queue .  offer(nodeHealthChange)) 

{ 

System.out.println("Added  a  belief  to  the  queue"); 

} 

else 

{ 

System.out.println("Failed  to  add  belief  to  queue"); 

} 

} 

else 

{ 

System.out.println("Failed  to  make  belief:  Node  Health  Change"); 
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} 


} 

else  if  ((this.port  ==  3071)  &&  (reeeivedData. length  !=  0)) 

{ 

setlnData(reeeivedPacket); 

NodeGeoUpdate  nodeXoUpdate  =  new  NodeGeoUpdateQ; 
nodeToUpdate.setRequestId(this.tokens[0]); 
node!  oUpdate.  setNodeId(this  .tokens  [  1  ]); 
nodeToUpdate.setLat(Double.valueOf(this.tokens[2])); 
node!  oUpdate.  setLon(Double.valueOf(this  .tokens  [3  ])); 

if  ((nodeXoUpdate. getNodeldO  !=  null)  && 

(nodeXoUpdate. getLat().doubleValue()  >=  O.OD)  && 

(nodeXoUpdate. getLon().doubleValue()  >=  O.OD)) 

{ 

if  (this . queue .  queue . o ffer(nodeX oUpdate)) 

{ 

System.out.println("Added  belief  to  the  queue"); 

} 

else 

{ 

System.out.println("Failed  to  add  belief  to  queue"); 

} 

} 

else 

{ 

System.out.println("Failed  to  make  belief:  Node  Geo  Update"); 

} 

} 

else  if  ((this.port  ==  3031)  &&  (reeeivedData. length  !=  0)) 

{ 

setlnData(reeeivedPaeket); 

NodeBatteryUpdate  nodeXoUpdate  =  new  NodeBatteryUpdate(); 

nodeXoUpdate. setRequestId(  this. tokens[0]); 

nodeX  oUpdate.  setNodeId(this  .tokens  [  1  ]); 

nodeX  oUpdate.  setBatteryLevel(this  .tokens  [2]); 

nodeX  oUpdate.  setBatteryPower(this  .tokens  [3  ]); 

nodeX  oUpdate.  setCompRate(this  .tokens  [4]); 

nodeX  oUpdate .  setX  ransferRate(this .  tokens  [5  ] ) ; 

nodeXoUpdate.setReeeiveRate(this.tokens[6]); 

if  ((nodeXoUpdate. getBatteryLevelO  !=  null)  &&  (nodeXoUpdate.getNodeId() 
null)  &&  (nodeXoUpdate.getRequestIdO  !=  null)) 
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{ 


if  (this .  queue .  queue .  o  ffer(nodeT oUpdate)) 

{ 

System.out.println("Added  belief  to  queue"); 

} 

else 

{ 

System.out.println("Failed  to  add  belief  to  queue"); 

} 

} 

else 

{ 

System.out.println("Failed  to  make  belief:  Node  Battery  Update"); 

} 

} 

else  if  ((this.port  ==  3041)  &&  (reeeivedData. length  !=  0)) 

{ 

setlnData(reeeivedPaeket); 
this.eount+=  1; 

Node  node  =  this.database.getNode(this.tokens[l]); 

Node  nodel  =  this. database. getNode(this.tokens[2]); 

if  (node  ==  null) 

{ 

node  =  new  Node(); 
node.setNodeId(this.tokens[l]); 
node.setNodeHealth("normal"); 
this. database. addNode(node); 

if  (eritiealNodeList.  eontains(this  .tokens  [  1  ])) 

{ 

this .  database .  eritie  alPath.  add(this .  tokens  [  1  ] ) ; 
node.setNodeCritieality(true); 

} 

} 

if  (nodel  ==  null) 

{ 

nodel  =  new  Node(); 
nodel. setNodeId(this.tokens[2]); 
nodel  .setNodeHealthC'normal"); 
this. database. addNode(nodel); 
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if  (criticalNodeList.  contains(this  .tokens  [2])) 

{ 

this. database. criticalPath.add(  this. tokens[2]); 
node.setNodeCritieality(true); 

} 


} 

if  ((node  !=  null)  &&  (nodel  !=  null)  &&  (Inode. isConneeted(nodel))) 

{ 

this. database. addConnection(node,  nodel .getNodeId()); 

} 

if  (this.eount  ==  22) 

{ 

this.database.printNodeListO; 
this.database.printCritiealPathO; 
run  =  false; 

} 

} 

else  if  ((this.port  ==  3081)  &&  (reeeivedData.length  !=  0)) 

{ 

setlnData(reeeivedPaeket); 

if  (this.database.getNode(this.tokens[l])  !=  null) 

{ 

this .  database .  eritie  alPath.  add(this .  tokens  [  1  ] ) ; 
this.database.getNode(this.tokens[l]).setNodeCritieality(true); 

} 

else 

{ 

eritiealNodeList.add(this.tokens[  1  ]); 

} 

if  (this.tokens[2].equals("-l")) 

{ 

listenSoeket.eloseO; 
this.database.printCritiealPathO; 
run  =  false; 

} 

} 

} 
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listenSocket.closeO; 

} 

catch  (Socket! imeoutException  e) 

{ 

e.printStackTrace(); 

} 

catch  (PortUnreachableException  e) 

{ 

e.printStackTrace(); 

} 

catch  (lOException  e) 

{ 

e.printStackTraceO; 

} 

catch  (Exception  e) 

{ 

e.printStaokTraeeO; 

} 

} 

public  String  getInData() 

{ 

return  this.inData; 

} 

publie  void  setInData(DatagramPaoket  r) 

{ 

this.inData  =  new  String(r.getData()); 

System.out.println("Reeeived:  "  +  this.inData  +  "  "  +  this.inData.length()); 
this. tokens  =  this. inData.split(  this. delims); 

} 

publie  int  getTokensSize() 

{ 

return  this.tokens. length; 

} 

publie  String  getNewRequestID() 

{ 

String  str  =  Integer.toString(this.eount); 
this.eount+=  1; 
return  str; 

} 

} 
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List  of  Symbols,  Abbreviations,  and  Acronyms 


CRA 

Collaborative  Research  Alliance 

CSec 

Cyber-Security 

CyAMS 

Cyber  Army  Modeling  and  Simulation 

CyFiA 

Cyber  Fighter  Associate 

D-A 

Decide-Act 

GUI 

graphical  user  interface 

ID 

identification 

IP 

Intrusion  Prevention 

0-0 

Observe-Orient 

OODA 

Observe,  Orient,  Decide,  Act 

PASS 

Publish  and  Subscribe  Service 

SA 

situational  awareness 

SIIS 

Systems  and  Internet  Infrastructure  Security 

UDP 

User  Datagram  Protocol 
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